diff --git a/.helmignore b/.helmignore new file mode 100644 index 0000000..e69de29 diff --git a/Chart.yaml b/Chart.yaml index d91bd9d..b52e25d 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.3 +version: 0.1.5 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/secrets.yaml b/secrets.yaml index 7a53916..d94445b 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -15,14 +15,18 @@ prometheusPgExporter: pgHostname: ENC[AES256_GCM,data:Xgl4RtvBuYzmWl+tV8ToJA==,iv:tbS5JBttZIqvB51UpWuyI3JYqSfrqFamgsCVQ2KMiRI=,tag:KgrBmMRch+IcSEeA5vSNuQ==,type:str] pgUsername: ENC[AES256_GCM,data:V/8m4/VKT2XTT8ySXpQv/yI=,iv:Ydus78HYDIOi9/9huFTL9GNp9oIRWOLgi/PAtCD8gvU=,tag:hFADQ/wqfLbZNjxNYs/fiA==,type:str] pgPassword: ENC[AES256_GCM,data:RPGwtcStH9qcQSaFGncuFwoHMA1A29lnhIuovC3ZB3s=,iv:Ne/3uW3Wy4tuG4IJaqwvz45dmxA5Gw+laicqeLJzLzo=,tag:3epeENbw3HJd69VN2xgVvA==,type:str] +keycloak: + auth: + adminUser: ENC[AES256_GCM,data:+egmbHzbaftvlJE3kPs=,iv:c8yMQu3R9uSMI8vnLbJK30Aa9EgCECydgltJBZBBjxo=,tag:0JSM/QLts0w+B2yPuxlTSw==,type:str] + adminPassword: ENC[AES256_GCM,data:Rd17pq1ouwsV65wFOiv4lPrHYJg=,iv:TXCzLBfD7AsqsrfN5E341bUANTWmTLvbB91p+0Zs3Tw=,tag:WKW6iRVddxFzrZMDZQMDFg==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-03-02T16:15:25Z" - mac: ENC[AES256_GCM,data:WQB3HtUCm7xq4ODhO1vdKXDv8ZIWneJ5ZAa6WZAUsbN3W+r7Iin39eqj9guvSaoUBM5n+QNeQbNV5PoUkujd/jyaUyqKf0x02Ilb8wLJwZAl4EsgloZGBE3J4Sx7m/L8qhy4YYYLKP83KuaI6wWLiKi9usR2bDuCBnt4/N926vI=,iv:83lD9MaBoS20xHzUrtrLgf3PQTwTX924BYu8IKimu+M=,tag:8h53wTt6Ej/qXdIhZWLtjQ==,type:str] + lastmodified: "2023-03-02T19:12:40Z" + mac: ENC[AES256_GCM,data:BOYmdhvmrEMuzEb99rCsWteKiKD7wwjyhQWCKdyrXqQSSCqInQmAL1LfwfwHQNpFRTy8n9T7BHQI4GcHIHH/8hJA9L8uBQcgnvbMaQu4wKH9Q5996692re8Aa1yDPrxvwNVx+36/dlyV8YTFabn7EVjtBFLd92GdjkRl2MkfMMw=,iv:9506PK1Q5TQc9y/RvP/pXVzymHycYzXDH+O9vDqqmuo=,tag:Ct5rMQ3wMJuFWvMxaXjZYQ==,type:str] pgp: - created_at: "2023-03-02T14:39:34Z" enc: | diff --git a/templates/.servicemonitor_s3_minio.yaml.swp b/templates/.servicemonitor_s3_minio.yaml.swp deleted file mode 100644 index 5ce1006..0000000 Binary files a/templates/.servicemonitor_s3_minio.yaml.swp and /dev/null differ diff --git a/templates/keycloak/configMap_env_vars.yaml b/templates/keycloak/configMap_env_vars.yaml new file mode 100644 index 0000000..cd53b4a --- /dev/null +++ b/templates/keycloak/configMap_env_vars.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: keycloak-cm-envvars +data: + KC_LOG_LEVEL: {{ .Values.keycloak.logLevel | default "INFO" }} + KC_PROXY: edge + KC_HOSTNAME: "keycloak-prodwork01.smardigo.digital" + KC_DB: "postgres" + KC_DB_URL: "jdbc:postgresql://postgres-cluster:5432/keycloak" diff --git a/templates/keycloak/deployment_keycloak.yaml b/templates/keycloak/deployment_keycloak.yaml new file mode 100644 index 0000000..772c15d --- /dev/null +++ b/templates/keycloak/deployment_keycloak.yaml @@ -0,0 +1,86 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: keycloak + name: keycloak +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: keycloak + template: + metadata: + labels: + app.kubernetes.io/name: keycloak + spec: + imagePullSecrets: + - name: harbor-pull-secret + securityContext: {} + containers: + - + securityContext: + runAsUser: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: False + capabilities: + drop: ["ALL"] + envFrom: + - configMapRef: + name: keycloak-cm-envvars + - secretRef: + name: keycloak-secret-envvars + env: + - name: KC_DB_PASSWORD + valueFrom: + secretKeyRef: + name: keycloak-admin.postgres-cluster.credentials.postgresql.acid.zalan.do + key: password + - name: KC_DB_USERNAME + valueFrom: + secretKeyRef: + name: keycloak-admin.postgres-cluster.credentials.postgresql.acid.zalan.do + key: username + {{- if .Values.keycloak.image.debug }} + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.keycloak.image.debug | quote }} + {{- end }} + ports: + - name: http + containerPort: 8080 + - name: https + containerPort: 8443 + {{- if .Values.keycloak.resources }} + resources: {{- toYaml .Values.keycloak.resources | nindent 12 }} + {{- end }} + readinessProbe: + httpGet: + path: {{ .Values.keycloak.httpRelativePath }}realms/master + port: http + initialDelaySeconds: 30 + periodSeconds: 1 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: {{ .Values.keycloak.httpRelativePath }} + port: http + periodSeconds: 1 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + startupProbe: + httpGet: + path: {{ .Values.keycloak.httpRelativePath }} + port: http + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 60 + successThreshold: 1 + image: {{ .Values.keycloak.image.registry }}/{{ .Values.keycloak.image.repository }}:{{ .Values.keycloak.image.tag }} + args: + - "start" + name: keycloak diff --git a/templates/keycloak/ingress.yaml b/templates/keycloak/ingress.yaml new file mode 100644 index 0000000..e33dd63 --- /dev/null +++ b/templates/keycloak/ingress.yaml @@ -0,0 +1,26 @@ +{{- if .Values.keycloak.ingress.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + {{- if .Values.keycloak.ingress.annotations }} + annotations: {{- toYaml .Values.keycloak.ingress.annotations | nindent 6 }} + {{- end }} + name: keycloak-ingress +spec: + ingressClassName: nginx + rules: + - host: {{ .Values.keycloak.ingress.hostname }} + http: + paths: + - backend: + service: + name: keycloak + port: + name: http + path: / + pathType: Prefix + tls: + - hosts: + - {{ .Values.keycloak.ingress.hostname }} + secretName: keycloak-ingress-cert +{{- end }} diff --git a/templates/keycloak/netpol_ingress-nginx2keycloak.yaml b/templates/keycloak/netpol_ingress-nginx2keycloak.yaml new file mode 100644 index 0000000..797b1bc --- /dev/null +++ b/templates/keycloak/netpol_ingress-nginx2keycloak.yaml @@ -0,0 +1,16 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-nginx2keycloak +# allow traffic from minio-operator NS to current NS across all ports +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ingress + podSelector: + matchLabels: + app.kubernetes.io/name: keycloak + policyTypes: + - Ingress diff --git a/templates/keycloak/secret_env_vars.yaml b/templates/keycloak/secret_env_vars.yaml new file mode 100644 index 0000000..86a7b30 --- /dev/null +++ b/templates/keycloak/secret_env_vars.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-secret-envvars +stringData: + KEYCLOAK_ADMIN: {{ .Values.keycloak.auth.adminUser | quote }} + KEYCLOAK_ADMIN_PASSWORD: {{ .Values.keycloak.auth.adminPassword | quote }} diff --git a/templates/keycloak/service.yaml b/templates/keycloak/service.yaml new file mode 100644 index 0000000..380a82f --- /dev/null +++ b/templates/keycloak/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: keycloak + name: keycloak +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app.kubernetes.io/name: keycloak diff --git a/templates/servicemonitor_s3_minio.yaml b/templates/servicemonitor_s3_minio.yaml new file mode 100644 index 0000000..0673fd5 --- /dev/null +++ b/templates/servicemonitor_s3_minio.yaml @@ -0,0 +1,27 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: minio + labels: + release: kube-prometheus-stack + v1.min.io/tenant: {{ .Values.tenant.tenant.name }} +spec: + jobLabel: minio-{{ .Release.Name }} + selector: + matchLabels: + v1.min.io/tenant: {{ .Values.tenant.tenant.name }} + endpoints: + - port: https-minio + interval: 30s + scrapeTimeout: 10s + path: /minio/v2/metrics/cluster + scheme: https + tlsConfig: + insecureSkipVerify: true + - port: https-minio + interval: 30s + scrapeTimeout: 10s + path: /minio/v2/metrics/node + scheme: https + tlsConfig: + insecureSkipVerify: true diff --git a/values.yaml b/values.yaml index b29dbf0..6184e14 100644 --- a/values.yaml +++ b/values.yaml @@ -1,6 +1,6 @@ global: prometheus: - release_label: kube-prometheus-stack + release_label: &prometheusStackDiscoveryLabel kube-prometheus-stack tenant: tenant: @@ -72,7 +72,7 @@ postgres: basebackup: timeThreshold: 86400 teamLabel: '' # empty but no defined alertmanager receiver => catchall devops-team - name: postgres-cluster + name: &pg_cluster_name postgres-cluster spec: teamId: "postgres" volume: @@ -83,7 +83,7 @@ postgres: - superuser - createdb databases: - keycloak: keycloak_admin + keycloak: &database_username keycloak_admin preparedDatabases: keycloak: {} postgresql: @@ -117,3 +117,26 @@ prometheus-postgres-exporter: datasourceSecret: name: postgres-exporter-database-connection key: datasource + +keycloak: + image: + registry: prodnso-harbor-01.smardigo.digital + repository: smardigo/keycloak + tag: 20.0.2.1 + pullSecrets: + - harbor-pull-secret + debug: true + args: + - "start" + httpRelativePath: "/auth/" + ingress: + enabled: true + hostname: keycloak-prodwork01.smardigo.digital + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + cert-manager.io/issue-temporary-certificate: "true" + nginx.ingress.kubernetes.io/backend-protocol: HTTP + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/ssl-passthrough: "true" + nginx.ingress.kubernetes.io/whitelist-source-range: >- + 212.121.131.106/32,149.233.6.129/32,46.245.219.98/32,164.138.195.162/32,195.201.31.227/32,167.235.150.201/32,167.235.150.198/32,167.235.150.195/32,167.235.150.133/32,167.235.150.197/32,23.88.53.161/32,195.201.113.110/32,5.75.184.216/32,195.201.127.50/32,164.92.251.253/32