From ffb2678d69dede329fb5d97798a90b9c334b98fc Mon Sep 17 00:00:00 2001 From: Junmin Ahn Date: Tue, 18 Jan 2022 15:19:38 -0800 Subject: [PATCH 1/3] chore: organize keycloak helm chart --- helm/keycloak/Chart.yaml | 2 +- helm/keycloak/README.md | 3 ++ helm/keycloak/templates/NOTES.txt | 2 +- helm/keycloak/templates/_helpers.tpl | 32 ++++++++++++++----- helm/keycloak/templates/deployment.yaml | 27 +++++----------- .../network-policies/intra-project-comms.yaml | 9 +++--- helm/keycloak/templates/pvc-logs.yaml | 3 +- helm/keycloak/templates/route.yaml | 11 ++----- helm/keycloak/templates/secret.yaml | 17 +++------- helm/keycloak/templates/service-app.yaml | 13 ++------ helm/keycloak/templates/service-ping.yaml | 13 ++------ 11 files changed, 56 insertions(+), 76 deletions(-) diff --git a/helm/keycloak/Chart.yaml b/helm/keycloak/Chart.yaml index 4c610249..999acf80 100644 --- a/helm/keycloak/Chart.yaml +++ b/helm/keycloak/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 name: sso-keycloak -version: 0.1.7 +version: 0.1.8 appVersion: 0.1.0 description: Open Source Identity and Access Management For Modern Applications and Services diff --git a/helm/keycloak/README.md b/helm/keycloak/README.md index 6a62fe3d..d5fd9238 100644 --- a/helm/keycloak/README.md +++ b/helm/keycloak/README.md @@ -72,3 +72,6 @@ The following table lists the configurable parameters of the Keycloak chart and - The helm chart installs two `Secret` k8s objects: 1. `-admin-secret`: it stores the Keycloak admin password. 1. `-jgroups`: it stores the Keycloak cluster jgroups password. + +- k8s resource object label conventions + 1. see https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels diff --git a/helm/keycloak/templates/NOTES.txt b/helm/keycloak/templates/NOTES.txt index 2a32146d..1e1a64cb 100644 --- a/helm/keycloak/templates/NOTES.txt +++ b/helm/keycloak/templates/NOTES.txt @@ -1,4 +1,4 @@ To get your password for admin run: # admin password - ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "..fullname" . }}-admin-secret -o jsonpath="{.data.password-admin}" | base64 --decode) + ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "sso-keycloak.fullname" . }}-admin-secret -o jsonpath="{.data.password-admin}" | base64 --decode) diff --git a/helm/keycloak/templates/_helpers.tpl b/helm/keycloak/templates/_helpers.tpl index 55851fdb..e9a7349a 100644 --- a/helm/keycloak/templates/_helpers.tpl +++ b/helm/keycloak/templates/_helpers.tpl @@ -3,14 +3,14 @@ {{/* Expand the name of the project. */}} -{{- define "..project" -}} +{{- define "sso-keycloak.project" -}} {{- default .Chart.Name .Values.project | trunc 63 | trimSuffix "-" -}} {{- end -}} {{/* Expand the name of the chart. */}} -{{- define "..name" -}} +{{- define "sso-keycloak.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -19,7 +19,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "..fullname" -}} +{{- define "sso-keycloak.fullname" -}} {{- if .Values.fullnameOverride -}} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} {{- else -}} @@ -35,12 +35,28 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "..chart" -}} +{{- define "sso-keycloak.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} {{- end -}} + {{/* -Create data url +Common labels */}} -{{- define "..databaseurl" -}} -{{- printf "host=%s port=%s dbname=%s user=%s password=%s sslmode=require" .Values.postgresql.host .Values.postgresql.port .Values.postgresql.database .Values.postgresql.username .Values.postgresql.password -}} -{{- end -}} +{{- define "sso-keycloak.labels" -}} +project: {{ include "sso-keycloak.project" . }} +release: {{ .Release.Name }} +helm.sh/chart: {{ include "sso-keycloak.chart" . }} +{{ include "sso-keycloak.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "sso-keycloak.selectorLabels" -}} +app.kubernetes.io/name: {{ include "sso-keycloak.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/helm/keycloak/templates/deployment.yaml b/helm/keycloak/templates/deployment.yaml index 986c7317..18496aa6 100644 --- a/helm/keycloak/templates/deployment.yaml +++ b/helm/keycloak/templates/deployment.yaml @@ -1,26 +1,15 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ include "..fullname" . }} - labels: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "..chart" . }} - project: {{ include "..project" . }} + name: {{ include "sso-keycloak.fullname" . }} + labels: {{ include "sso-keycloak.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} selector: - matchLabels: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - project: {{ include "..project" . }} + matchLabels: {{ include "sso-keycloak.labels" . | nindent 6 }} template: metadata: - labels: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - project: {{ include "..project" . }} + labels: {{ include "sso-keycloak.labels" . | nindent 8 }} spec: containers: - name: {{ .Chart.Name }} @@ -104,7 +93,7 @@ spec: - name: SSO_ADMIN_PASSWORD valueFrom: secretKeyRef: - name: {{ include "..fullname" . }}-admin-secret + name: {{ include "sso-keycloak.fullname" . }}-admin-secret key: password-admin # DB POOL SIZES - name: DB_MIN_POOL_SIZE @@ -115,7 +104,7 @@ spec: - name: JGROUPS_CLUSTER_PASSWORD valueFrom: secretKeyRef: - name: {{ include "..fullname" . }}-jgroups + name: {{ include "sso-keycloak.fullname" . }}-jgroups key: cluster-password # Additional server startup options (extension of JAVA_OPTS) - name: JAVA_OPTS_APPEND @@ -124,7 +113,7 @@ spec: value: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt {{- if .Values.pingService.enabled }} - name: OPENSHIFT_DNS_PING_SERVICE_NAME - value: {{ include "..fullname" . }}-ping + value: {{ include "sso-keycloak.fullname" . }}-ping - name: OPENSHIFT_DNS_PING_SERVICE_PORT value: {{ .Values.pingService.port | quote }} {{- end }} @@ -166,7 +155,7 @@ spec: {{- if .Values.persistentLog.enabled }} - name: logs-volume persistentVolumeClaim: - claimName: {{ include "..fullname" . }}-logs + claimName: {{ include "sso-keycloak.fullname" . }}-logs {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: diff --git a/helm/keycloak/templates/network-policies/intra-project-comms.yaml b/helm/keycloak/templates/network-policies/intra-project-comms.yaml index da196d67..00d3d03a 100644 --- a/helm/keycloak/templates/network-policies/intra-project-comms.yaml +++ b/helm/keycloak/templates/network-policies/intra-project-comms.yaml @@ -2,16 +2,15 @@ kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata: - name: {{ include "..project" . }}-intra-project-comms - labels: - project: {{ include "..project" . }} + name: {{ include "sso-keycloak.project" . }}-intra-project-comms + labels: {{ include "sso-keycloak.labels" . | nindent 4 }} spec: podSelector: matchLabels: - project: {{ include "..project" . }} + project: {{ include "sso-keycloak.project" . }} ingress: - from: - podSelector: matchLabels: - project: {{ include "..project" . }} + project: {{ include "sso-keycloak.project" . }} {{- end }} diff --git a/helm/keycloak/templates/pvc-logs.yaml b/helm/keycloak/templates/pvc-logs.yaml index 7fa22dc3..7adb14ec 100644 --- a/helm/keycloak/templates/pvc-logs.yaml +++ b/helm/keycloak/templates/pvc-logs.yaml @@ -2,7 +2,8 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: {{ include "..fullname" . }}-logs + name: {{ include "sso-keycloak.fullname" . }}-logs + labels: {{ include "sso-keycloak.labels" . | nindent 4 }} annotations: volume.beta.kubernetes.io/storage-class: {{ .Values.persistentLog.storageClassName }} spec: diff --git a/helm/keycloak/templates/route.yaml b/helm/keycloak/templates/route.yaml index a4b007ef..b1da5072 100644 --- a/helm/keycloak/templates/route.yaml +++ b/helm/keycloak/templates/route.yaml @@ -1,13 +1,8 @@ apiVersion: route.openshift.io/v1 kind: Route metadata: - name: {{ include "..fullname" . }} - labels: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "..chart" . }} - project: {{ include "..project" . }} + name: {{ include "sso-keycloak.fullname" . }} + labels: {{ include "sso-keycloak.labels" . | nindent 4 }} annotations: haproxy.router.openshift.io/balance: roundrobin haproxy.router.openshift.io/disable_cookies: 'true' @@ -21,4 +16,4 @@ spec: {{ end }} to: kind: Service - name: {{ include "..fullname" . }} + name: {{ include "sso-keycloak.fullname" . }} diff --git a/helm/keycloak/templates/secret.yaml b/helm/keycloak/templates/secret.yaml index da811ca6..beaab378 100644 --- a/helm/keycloak/templates/secret.yaml +++ b/helm/keycloak/templates/secret.yaml @@ -1,13 +1,8 @@ apiVersion: v1 kind: Secret metadata: - name: {{ include "..fullname" . }}-admin-secret - labels: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "..chart" . }} - project: {{ include "..project" . }} + name: {{ include "sso-keycloak.fullname" . }}-admin-secret + labels: {{ include "sso-keycloak.labels" . | nindent 4 }} annotations: "helm.sh/hook": "pre-install" "helm.sh/hook-delete-policy": "before-hook-creation" @@ -18,12 +13,8 @@ data: apiVersion: v1 kind: Secret metadata: - name: {{ include "..fullname" . }}-jgroups - labels: - app: {{ include "..fullname" . }} - chart: {{ include "..chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} + name: {{ include "sso-keycloak.fullname" . }}-jgroups + labels: {{ include "sso-keycloak.labels" . | nindent 4 }} annotations: "helm.sh/hook": "pre-install" "helm.sh/hook-delete-policy": "before-hook-creation" diff --git a/helm/keycloak/templates/service-app.yaml b/helm/keycloak/templates/service-app.yaml index de6dc1fe..b7775c06 100644 --- a/helm/keycloak/templates/service-app.yaml +++ b/helm/keycloak/templates/service-app.yaml @@ -1,13 +1,8 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "..fullname" . }} - labels: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "..chart" . }} - project: {{ include "..project" . }} + name: {{ include "sso-keycloak.fullname" . }} + labels: {{ include "sso-keycloak.labels" . | nindent 4 }} annotations: {{- if .Values.tls.enabled }} service.alpha.openshift.io/serving-cert-secret-name: {{ .Values.tls.httpsSecret }} @@ -24,6 +19,4 @@ spec: name: http targetPort: http {{ end }} - selector: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} + selector: {{ include "sso-keycloak.selectorLabels" . | nindent 4 }} diff --git a/helm/keycloak/templates/service-ping.yaml b/helm/keycloak/templates/service-ping.yaml index 190f9015..abbb48ac 100644 --- a/helm/keycloak/templates/service-ping.yaml +++ b/helm/keycloak/templates/service-ping.yaml @@ -2,13 +2,8 @@ apiVersion: v1 kind: Service metadata: - name: {{ include "..fullname" . }}-ping - labels: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - helm.sh/chart: {{ include "..chart" . }} - project: {{ include "..project" . }} + name: {{ include "sso-keycloak.fullname" . }}-ping + labels: {{ include "sso-keycloak.labels" . | nindent 4 }} annotations: description: "The JGroups ping port for clustering." service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" @@ -22,7 +17,5 @@ spec: name: ping targetPort: ping protocol: TCP - selector: - app.kubernetes.io/name: {{ include "..name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} + selector: {{ include "sso-keycloak.selectorLabels" . | nindent 4 }} {{- end }} From ffe33b28f8eecf70f4ec9d7bdb5d3fde87ac5017 Mon Sep 17 00:00:00 2001 From: Junmin Ahn Date: Tue, 18 Jan 2022 16:31:34 -0800 Subject: [PATCH 2/3] chore: update keycloak helm chart --- helm/keycloak/templates/NOTES.txt | 7 +++++-- helm/keycloak/templates/deployment.yaml | 18 ++++++++++++++++-- helm/keycloak/templates/secret.yaml | 3 ++- helm/keycloak/values-6d70e7-test.yaml | 8 +++++--- helm/keycloak/values-c6af30-dev.yaml | 2 +- helm/keycloak/values.yaml | 6 ++++-- 6 files changed, 33 insertions(+), 11 deletions(-) diff --git a/helm/keycloak/templates/NOTES.txt b/helm/keycloak/templates/NOTES.txt index 1e1a64cb..15960e66 100644 --- a/helm/keycloak/templates/NOTES.txt +++ b/helm/keycloak/templates/NOTES.txt @@ -1,4 +1,7 @@ -To get your password for admin run: +To get your username & password for admin run: + + # admin username + ADMIN_USERNAME=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "sso-keycloak.fullname" . }}-admin-secret -o jsonpath="{.data.username}" | base64 --decode) # admin password - ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "sso-keycloak.fullname" . }}-admin-secret -o jsonpath="{.data.password-admin}" | base64 --decode) + ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "sso-keycloak.fullname" . }}-admin-secret -o jsonpath="{.data.password}" | base64 --decode) diff --git a/helm/keycloak/templates/deployment.yaml b/helm/keycloak/templates/deployment.yaml index 18496aa6..aff91c2c 100644 --- a/helm/keycloak/templates/deployment.yaml +++ b/helm/keycloak/templates/deployment.yaml @@ -79,22 +79,36 @@ spec: value: {{ .Values.postgres.port | quote }} # DB Credentials - name: DB_USERNAME + {{- if and .Values.postgres.credentials.secret .Values.postgres.credentials.usernameKey }} + valueFrom: + secretKeyRef: + name: {{ .Values.postgres.credentials.secret }} + key: {{ .Values.postgres.credentials.usernameKey }} + {{- else -}} value: {{ .Values.postgres.credentials.adminUsername }} + {{- end }} - name: DB_PASSWORD + {{- if and .Values.postgres.credentials.secret .Values.postgres.credentials.passwordKey }} valueFrom: secretKeyRef: name: {{ .Values.postgres.credentials.secret }} key: {{ .Values.postgres.credentials.passwordKey }} + {{- else -}} + value: {{ .Values.postgres.credentials.adminPassword }} + {{- end }} - name: DB_DATABASE value: {{ .Values.postgres.dbName }} # DB Admin Credentials - name: SSO_ADMIN_USERNAME - value: admin + valueFrom: + secretKeyRef: + name: {{ include "sso-keycloak.fullname" . }}-admin-secret + key: username - name: SSO_ADMIN_PASSWORD valueFrom: secretKeyRef: name: {{ include "sso-keycloak.fullname" . }}-admin-secret - key: password-admin + key: password # DB POOL SIZES - name: DB_MIN_POOL_SIZE value: {{ .Values.postgres.poolSize.min | quote }} diff --git a/helm/keycloak/templates/secret.yaml b/helm/keycloak/templates/secret.yaml index beaab378..328e1805 100644 --- a/helm/keycloak/templates/secret.yaml +++ b/helm/keycloak/templates/secret.yaml @@ -8,7 +8,8 @@ metadata: "helm.sh/hook-delete-policy": "before-hook-creation" type: Opaque data: - password-admin: {{ randAlphaNum 32 | b64enc | quote }} + username: {{ randAlphaNum 8 | b64enc | quote }} + password: {{ randAlphaNum 32 | b64enc | quote }} --- apiVersion: v1 kind: Secret diff --git a/helm/keycloak/values-6d70e7-test.yaml b/helm/keycloak/values-6d70e7-test.yaml index 11d8444a..483526a2 100644 --- a/helm/keycloak/values-6d70e7-test.yaml +++ b/helm/keycloak/values-6d70e7-test.yaml @@ -1,7 +1,9 @@ replicaCount: 5 +project: sso-keycloak + image: - tag: 7.4-37-rc.2 + tag: 7.4-37-rc.3 service: type: ClusterIP @@ -11,8 +13,8 @@ postgres: host: sso-pgsql-master-test credentials: secret: sso-pgsql-test - admin: - secret: sso-admin-test + usernameKey: app-db-username + passwordKey: app-db-password tls: enabled: true diff --git a/helm/keycloak/values-c6af30-dev.yaml b/helm/keycloak/values-c6af30-dev.yaml index 504d6af7..85fc5389 100644 --- a/helm/keycloak/values-c6af30-dev.yaml +++ b/helm/keycloak/values-c6af30-dev.yaml @@ -13,7 +13,7 @@ postgres: host: sso-patroni credentials: secret: sso-patroni - adminUsername: postgres + usernameKey: username-superuser passwordKey: password-superuser tls: diff --git a/helm/keycloak/values.yaml b/helm/keycloak/values.yaml index 091da82f..57117c11 100644 --- a/helm/keycloak/values.yaml +++ b/helm/keycloak/values.yaml @@ -29,9 +29,11 @@ postgres: dbName: rhsso port: 5432 credentials: - secret: sso-pgsql - adminUsername: postgres + secret: + usernameKey: username-superuser passwordKey: password-superuser + adminUsername: postgres + adminPassword: postgres poolSize: min: 5 max: 20 From 69d260a822f332f8803b10df01fd7c777d8cc629 Mon Sep 17 00:00:00 2001 From: Junmin Ahn Date: Tue, 18 Jan 2022 16:46:14 -0800 Subject: [PATCH 3/3] chore: fix a typo in selectorLabels --- helm/keycloak/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm/keycloak/templates/deployment.yaml b/helm/keycloak/templates/deployment.yaml index aff91c2c..415f7ead 100644 --- a/helm/keycloak/templates/deployment.yaml +++ b/helm/keycloak/templates/deployment.yaml @@ -6,7 +6,7 @@ metadata: spec: replicas: {{ .Values.replicaCount }} selector: - matchLabels: {{ include "sso-keycloak.labels" . | nindent 6 }} + matchLabels: {{ include "sso-keycloak.selectorLabels" . | nindent 6 }} template: metadata: labels: {{ include "sso-keycloak.labels" . | nindent 8 }}