diff --git a/apps.yaml b/apps.yaml index 26c86365db..d757def695 100644 --- a/apps.yaml +++ b/apps.yaml @@ -107,7 +107,7 @@ appsInfo: integration: App Platform has security best practices built in, and is designed for intrusion. Istio is used by App Platform as a service mesh to deliver mTLS enforcement for all traffic that is deemed compromisable, egress control to force teams to choose explicit egress endpoints, and advanced routing capabilities such as weight based load balancing (A/B or blue/green testing). Istio is part of the core of App Platform and can not be disabled. keycloak: title: Keycloak - appVersion: 26.5.3 + appVersion: 26.5.5 repo: https://github.com/keycloak/keycloak maintainers: Keycloak relatedLinks: diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index 3078584098..e041a79bef 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -53,7 +53,7 @@ dependencies: repository: https://istio-release.storage.googleapis.com/charts - name: keycloakx alias: keycloak - version: 7.1.8 + version: 7.1.9 repository: https://codecentric.github.io/helm-charts - name: knative-operator version: v1.18.1 diff --git a/charts/keycloak/Chart.yaml b/charts/keycloak/Chart.yaml index cc01f03235..eed63ef254 100644 --- a/charts/keycloak/Chart.yaml +++ b/charts/keycloak/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 26.5.3 +appVersion: 26.5.5 description: Keycloak.X - Open Source Identity and Access Management for Modern Applications and Services home: https://www.keycloak.org/ @@ -21,4 +21,4 @@ name: keycloakx sources: - https://github.com/codecentric/helm-charts - https://github.com/keycloak/keycloak/tree/main/quarkus/container -version: 7.1.8 +version: 7.1.9 diff --git a/charts/keycloak/templates/httproute.yaml b/charts/keycloak/templates/httproute.yaml new file mode 100644 index 0000000000..6c4b031b8d --- /dev/null +++ b/charts/keycloak/templates/httproute.yaml @@ -0,0 +1,99 @@ +{{- $httpRoute := .Values.httpRoute -}} +{{- if $httpRoute.enabled -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ include "keycloak.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "keycloak.labels" . | nindent 4 }} + {{- range $key, $value := $httpRoute.labels }} + {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }} + {{- end }} + {{- with $httpRoute.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + parentRefs: + {{- with $httpRoute.parentRefs }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $httpRoute.hostnames }} + hostnames: + {{- toYaml . | nindent 4 }} + {{- end }} + rules: + {{- range $httpRoute.rules }} + {{- with .matches }} + - matches: + {{- range . }} + {{- if .path }} + - path: + type: {{ .path.type }} + value: {{ tpl .path.value $ }} + {{- end }} + {{- else }} + {{ . | toYaml | nindent 8 }} + {{- end }} + {{- end }} + {{- with .filters }} + filters: + {{- toYaml . | nindent 8 }} + {{- end }} + backendRefs: + - name: {{ include "keycloak.fullname" $ }}-http + port: {{ $httpRoute.servicePort }} + {{- end }} +{{- end }} +--- +{{- if $httpRoute.console.enabled -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ include "keycloak.fullname" . }}-console + namespace: {{ .Release.Namespace }} + labels: + {{- include "keycloak.labels" . | nindent 4 }} + {{- range $key, $value := $httpRoute.labels }} + {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }} + {{- end }} + {{- range $key, $value := $httpRoute.console.labels }} + {{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }} + {{- end }} + {{- with $httpRoute.console.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + parentRefs: + {{- with pluck "parentRefs" $httpRoute.console $httpRoute | first }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with pluck "hostnames" $httpRoute.console $httpRoute | first }} + hostnames: + {{- toYaml . | nindent 4 }} + {{- end }} + rules: + {{- range $httpRoute.console.rules }} + {{- with .matches }} + - matches: + {{- range . }} + {{- if .path }} + - path: + type: {{ .path.type }} + value: {{ tpl .path.value $ }} + {{- end }} + {{- else }} + {{ . | toYaml | nindent 8 }} + {{- end }} + {{- end }} + {{- with .filters }} + filters: + {{- toYaml . | nindent 8 }} + {{- end }} + backendRefs: + - name: {{ include "keycloak.fullname" $ }}-http + port: {{ $httpRoute.servicePort }} + {{- end }} +{{- end }} diff --git a/charts/keycloak/values.schema.json b/charts/keycloak/values.schema.json index ad571a7fa7..dd09217bbb 100644 --- a/charts/keycloak/values.schema.json +++ b/charts/keycloak/values.schema.json @@ -5,6 +5,63 @@ "image" ], "definitions": { + "httpRoute": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "type": "object" + }, + "parentRefs": { + "type": "array", + "items": { + "properties": { + "name": { + "type": "string" + }, + "sectionName": { + "type": "string" + } + } + } + }, + "hostnames": { + "type": "array", + "items": { + "type": "string" + } + }, + "rules": { + "type": "array", + "items": { + "$comment": "don't allow additionalProperties to make sure backendRefs isn't set by the user", + "additionalProperties": false, + "properties": { + "matches": { + "type": "array", + "items": { + "$comment": "don't allow additionalProperties, only path matcher supported", + "additionalProperties": false, + "properties": { + "path": { + "type": "object" + } + } + } + }, + "filters": { + "type": "array" + } + } + } + } + } + }, "image": { "type": "object", "required": [ @@ -90,6 +147,22 @@ "internalPort": "string", "internalScheme": "string" }, + "httpRoute": { + "allOf": [ + { "$ref": "#/definitions/httpRoute" }, + { + "type": "object", + "properties": { + "servicePort": { + "type": "integer" + }, + "console": { + "$ref": "#/definitions/httpRoute" + } + } + } + ] + }, "image": { "$ref": "#/definitions/image" }, diff --git a/charts/keycloak/values.yaml b/charts/keycloak/values.yaml index 2356a790fd..6f93c6c9bc 100644 --- a/charts/keycloak/values.yaml +++ b/charts/keycloak/values.yaml @@ -11,7 +11,7 @@ image: # The Keycloak image repository repository: quay.io/keycloak/keycloak # Overrides the Keycloak image tag whose default is the chart appVersion - tag: "26.5.3" + tag: "26.5.5" # Overrides the Keycloak image tag with a specific digest digest: "" # The Keycloak image pull policy @@ -280,6 +280,56 @@ serviceHeadless: # Add additional ports to the headless service, e. g. for admin console or exposing JGroups ports extraPorts: [] +# -- Expose the service via gateway-api HTTPRoute +# Requires Gateway API resources and suitable controller installed within the cluster +# (see: https://gateway-api.sigs.k8s.io/guides/) +httpRoute: + # HTTPRoute enabled. + enabled: false + # Additional HTTPRoute labels + labels: {} + # HTTPRoute annotations. + annotations: {} + # The Service port targeted by the HTTPRoute, MUST BE AN NUMBER + servicePort: 80 + # Which Gateways this Route is attached to. + parentRefs: + - name: gateway + sectionName: http + # namespace: default + # Hostnames matching HTTP header. + hostnames: + - chart-example.local + # List of rules and filters applied. + rules: + - matches: + - path: + type: PathPrefix + value: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/' + + # HTTPRoute for console only (/auth/admin) + console: + # If `true`, an HTTPRoute is created for console path only + enabled: false + # Additional HTTPRoute labels + labels: {} + # HTTPRoute annotations. + annotations: {} + # Which Gateways this Route is attached to. + parentRefs: + - name: gateway + sectionName: http + # namespace: default + # Hostnames matching HTTP header. + hostnames: + - chart-example.local + # List of rules and filters applied. + rules: + - matches: + - path: + type: PathPrefix + value: '{{ tpl .Values.http.relativePath $ | trimSuffix "/" }}/admin' + ingress: # If `true`, an Ingress is created enabled: false