From 264c2992e222dc30f89d55a6ae1d1d3621b101d2 Mon Sep 17 00:00:00 2001 From: friedrich goerz Date: Mon, 6 Mar 2023 15:17:03 +0100 Subject: [PATCH] DEV-898: added self frickeled keyscloak stuff due to being not able to get it up and runninng with bitnami helm chart --- .helmignore | 0 Chart.yaml | 2 +- secrets.yaml | 8 +- templates/.servicemonitor_s3_minio.yaml.swp | Bin 12288 -> 0 bytes templates/keycloak/configMap_env_vars.yaml | 10 ++ templates/keycloak/deployment_keycloak.yaml | 86 ++++++++++++++++++ templates/keycloak/ingress.yaml | 26 ++++++ .../netpol_ingress-nginx2keycloak.yaml | 16 ++++ templates/keycloak/secret_env_vars.yaml | 7 ++ templates/keycloak/service.yaml | 14 +++ templates/servicemonitor_s3_minio.yaml | 27 ++++++ values.yaml | 29 +++++- 12 files changed, 219 insertions(+), 6 deletions(-) create mode 100644 .helmignore delete mode 100644 templates/.servicemonitor_s3_minio.yaml.swp create mode 100644 templates/keycloak/configMap_env_vars.yaml create mode 100644 templates/keycloak/deployment_keycloak.yaml create mode 100644 templates/keycloak/ingress.yaml create mode 100644 templates/keycloak/netpol_ingress-nginx2keycloak.yaml create mode 100644 templates/keycloak/secret_env_vars.yaml create mode 100644 templates/keycloak/service.yaml create mode 100644 templates/servicemonitor_s3_minio.yaml diff --git a/.helmignore b/.helmignore new file mode 100644 index 0000000..e69de29 diff --git a/Chart.yaml b/Chart.yaml index d91bd9d..b52e25d 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.3 +version: 0.1.5 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/secrets.yaml b/secrets.yaml index 7a53916..d94445b 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -15,14 +15,18 @@ prometheusPgExporter: pgHostname: ENC[AES256_GCM,data:Xgl4RtvBuYzmWl+tV8ToJA==,iv:tbS5JBttZIqvB51UpWuyI3JYqSfrqFamgsCVQ2KMiRI=,tag:KgrBmMRch+IcSEeA5vSNuQ==,type:str] pgUsername: ENC[AES256_GCM,data:V/8m4/VKT2XTT8ySXpQv/yI=,iv:Ydus78HYDIOi9/9huFTL9GNp9oIRWOLgi/PAtCD8gvU=,tag:hFADQ/wqfLbZNjxNYs/fiA==,type:str] pgPassword: ENC[AES256_GCM,data:RPGwtcStH9qcQSaFGncuFwoHMA1A29lnhIuovC3ZB3s=,iv:Ne/3uW3Wy4tuG4IJaqwvz45dmxA5Gw+laicqeLJzLzo=,tag:3epeENbw3HJd69VN2xgVvA==,type:str] +keycloak: + auth: + adminUser: ENC[AES256_GCM,data:+egmbHzbaftvlJE3kPs=,iv:c8yMQu3R9uSMI8vnLbJK30Aa9EgCECydgltJBZBBjxo=,tag:0JSM/QLts0w+B2yPuxlTSw==,type:str] + adminPassword: ENC[AES256_GCM,data:Rd17pq1ouwsV65wFOiv4lPrHYJg=,iv:TXCzLBfD7AsqsrfN5E341bUANTWmTLvbB91p+0Zs3Tw=,tag:WKW6iRVddxFzrZMDZQMDFg==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-03-02T16:15:25Z" - mac: ENC[AES256_GCM,data:WQB3HtUCm7xq4ODhO1vdKXDv8ZIWneJ5ZAa6WZAUsbN3W+r7Iin39eqj9guvSaoUBM5n+QNeQbNV5PoUkujd/jyaUyqKf0x02Ilb8wLJwZAl4EsgloZGBE3J4Sx7m/L8qhy4YYYLKP83KuaI6wWLiKi9usR2bDuCBnt4/N926vI=,iv:83lD9MaBoS20xHzUrtrLgf3PQTwTX924BYu8IKimu+M=,tag:8h53wTt6Ej/qXdIhZWLtjQ==,type:str] + lastmodified: "2023-03-02T19:12:40Z" + mac: ENC[AES256_GCM,data:BOYmdhvmrEMuzEb99rCsWteKiKD7wwjyhQWCKdyrXqQSSCqInQmAL1LfwfwHQNpFRTy8n9T7BHQI4GcHIHH/8hJA9L8uBQcgnvbMaQu4wKH9Q5996692re8Aa1yDPrxvwNVx+36/dlyV8YTFabn7EVjtBFLd92GdjkRl2MkfMMw=,iv:9506PK1Q5TQc9y/RvP/pXVzymHycYzXDH+O9vDqqmuo=,tag:Ct5rMQ3wMJuFWvMxaXjZYQ==,type:str] pgp: - created_at: "2023-03-02T14:39:34Z" enc: | diff --git a/templates/.servicemonitor_s3_minio.yaml.swp b/templates/.servicemonitor_s3_minio.yaml.swp deleted file mode 100644 index 5ce10068ec21b05a637eedda7f3d01815ce52f75..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12288 zcmeI2y^ho{5P-c%NE95PqeMamDvBig)1Z_XFUG0&1xqZPVa5=Tj7}DxU_m{$8mO+ z&8>peDw*}c-^}ZE!Pdjz*==L;lNY{PFN~bfX<}YR8vMSQIbYA`QDsf~!q|K`3QCiJ zh9HNfER4t_4`o#d4=!?G7fM2DwDQKz++pf#|uHyMwHtM@mq zU*nfI_ecyGAOmE843GgbKnBPF86X4ykpW)~*lRrRneNP2x_R)++fDDiUGC&5%02w%i21Lr(kMoQ@-N54U|Ns8?|ItOpz9CJ`HH+p-Xcq6weJ&z1{oj&WPl8i0Wv@a$N(82 z17zT|8sObf+JUSs?B=SPf>rZn%)PCFwby;&?if8+`*9a=GJ_Igo_SxnE>;Pj#XM>n zoukD#D#2q{wu`h$`#ersQNd$Xf~kGXM?=TEo0az1GA)XjPx@fMD`Rn0vq#XR?G|(X zFYA>>?XZ~jN&mWJ&}n7xfUdW<7=?J8P#NqP*FxhN4-R-Z6-5m$Y(xE|MG5@yuqmb# zUS-rG%U4;So20oA^Tt!K%J&Gb3kTs&m%>#b+Y0`0f7>REd0r`g_ z;S6dQI4@+5RTS&mR%Lg!FkB^4;YG}HrPG-2w!QJ&ZErjimBMeFQ%2(rZA|I?P#O!y K;Z#P85&H>sEg)zB diff --git a/templates/keycloak/configMap_env_vars.yaml b/templates/keycloak/configMap_env_vars.yaml new file mode 100644 index 0000000..cd53b4a --- /dev/null +++ b/templates/keycloak/configMap_env_vars.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: keycloak-cm-envvars +data: + KC_LOG_LEVEL: {{ .Values.keycloak.logLevel | default "INFO" }} + KC_PROXY: edge + KC_HOSTNAME: "keycloak-prodwork01.smardigo.digital" + KC_DB: "postgres" + KC_DB_URL: "jdbc:postgresql://postgres-cluster:5432/keycloak" diff --git a/templates/keycloak/deployment_keycloak.yaml b/templates/keycloak/deployment_keycloak.yaml new file mode 100644 index 0000000..772c15d --- /dev/null +++ b/templates/keycloak/deployment_keycloak.yaml @@ -0,0 +1,86 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: keycloak + name: keycloak +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: keycloak + template: + metadata: + labels: + app.kubernetes.io/name: keycloak + spec: + imagePullSecrets: + - name: harbor-pull-secret + securityContext: {} + containers: + - + securityContext: + runAsUser: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: False + capabilities: + drop: ["ALL"] + envFrom: + - configMapRef: + name: keycloak-cm-envvars + - secretRef: + name: keycloak-secret-envvars + env: + - name: KC_DB_PASSWORD + valueFrom: + secretKeyRef: + name: keycloak-admin.postgres-cluster.credentials.postgresql.acid.zalan.do + key: password + - name: KC_DB_USERNAME + valueFrom: + secretKeyRef: + name: keycloak-admin.postgres-cluster.credentials.postgresql.acid.zalan.do + key: username + {{- if .Values.keycloak.image.debug }} + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.keycloak.image.debug | quote }} + {{- end }} + ports: + - name: http + containerPort: 8080 + - name: https + containerPort: 8443 + {{- if .Values.keycloak.resources }} + resources: {{- toYaml .Values.keycloak.resources | nindent 12 }} + {{- end }} + readinessProbe: + httpGet: + path: {{ .Values.keycloak.httpRelativePath }}realms/master + port: http + initialDelaySeconds: 30 + periodSeconds: 1 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + livenessProbe: + httpGet: + path: {{ .Values.keycloak.httpRelativePath }} + port: http + periodSeconds: 1 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + startupProbe: + httpGet: + path: {{ .Values.keycloak.httpRelativePath }} + port: http + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 1 + failureThreshold: 60 + successThreshold: 1 + image: {{ .Values.keycloak.image.registry }}/{{ .Values.keycloak.image.repository }}:{{ .Values.keycloak.image.tag }} + args: + - "start" + name: keycloak diff --git a/templates/keycloak/ingress.yaml b/templates/keycloak/ingress.yaml new file mode 100644 index 0000000..e33dd63 --- /dev/null +++ b/templates/keycloak/ingress.yaml @@ -0,0 +1,26 @@ +{{- if .Values.keycloak.ingress.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + {{- if .Values.keycloak.ingress.annotations }} + annotations: {{- toYaml .Values.keycloak.ingress.annotations | nindent 6 }} + {{- end }} + name: keycloak-ingress +spec: + ingressClassName: nginx + rules: + - host: {{ .Values.keycloak.ingress.hostname }} + http: + paths: + - backend: + service: + name: keycloak + port: + name: http + path: / + pathType: Prefix + tls: + - hosts: + - {{ .Values.keycloak.ingress.hostname }} + secretName: keycloak-ingress-cert +{{- end }} diff --git a/templates/keycloak/netpol_ingress-nginx2keycloak.yaml b/templates/keycloak/netpol_ingress-nginx2keycloak.yaml new file mode 100644 index 0000000..797b1bc --- /dev/null +++ b/templates/keycloak/netpol_ingress-nginx2keycloak.yaml @@ -0,0 +1,16 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-nginx2keycloak +# allow traffic from minio-operator NS to current NS across all ports +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: ingress + podSelector: + matchLabels: + app.kubernetes.io/name: keycloak + policyTypes: + - Ingress diff --git a/templates/keycloak/secret_env_vars.yaml b/templates/keycloak/secret_env_vars.yaml new file mode 100644 index 0000000..86a7b30 --- /dev/null +++ b/templates/keycloak/secret_env_vars.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-secret-envvars +stringData: + KEYCLOAK_ADMIN: {{ .Values.keycloak.auth.adminUser | quote }} + KEYCLOAK_ADMIN_PASSWORD: {{ .Values.keycloak.auth.adminPassword | quote }} diff --git a/templates/keycloak/service.yaml b/templates/keycloak/service.yaml new file mode 100644 index 0000000..380a82f --- /dev/null +++ b/templates/keycloak/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: keycloak + name: keycloak +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app.kubernetes.io/name: keycloak diff --git a/templates/servicemonitor_s3_minio.yaml b/templates/servicemonitor_s3_minio.yaml new file mode 100644 index 0000000..0673fd5 --- /dev/null +++ b/templates/servicemonitor_s3_minio.yaml @@ -0,0 +1,27 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: minio + labels: + release: kube-prometheus-stack + v1.min.io/tenant: {{ .Values.tenant.tenant.name }} +spec: + jobLabel: minio-{{ .Release.Name }} + selector: + matchLabels: + v1.min.io/tenant: {{ .Values.tenant.tenant.name }} + endpoints: + - port: https-minio + interval: 30s + scrapeTimeout: 10s + path: /minio/v2/metrics/cluster + scheme: https + tlsConfig: + insecureSkipVerify: true + - port: https-minio + interval: 30s + scrapeTimeout: 10s + path: /minio/v2/metrics/node + scheme: https + tlsConfig: + insecureSkipVerify: true diff --git a/values.yaml b/values.yaml index b29dbf0..6184e14 100644 --- a/values.yaml +++ b/values.yaml @@ -1,6 +1,6 @@ global: prometheus: - release_label: kube-prometheus-stack + release_label: &prometheusStackDiscoveryLabel kube-prometheus-stack tenant: tenant: @@ -72,7 +72,7 @@ postgres: basebackup: timeThreshold: 86400 teamLabel: '' # empty but no defined alertmanager receiver => catchall devops-team - name: postgres-cluster + name: &pg_cluster_name postgres-cluster spec: teamId: "postgres" volume: @@ -83,7 +83,7 @@ postgres: - superuser - createdb databases: - keycloak: keycloak_admin + keycloak: &database_username keycloak_admin preparedDatabases: keycloak: {} postgresql: @@ -117,3 +117,26 @@ prometheus-postgres-exporter: datasourceSecret: name: postgres-exporter-database-connection key: datasource + +keycloak: + image: + registry: prodnso-harbor-01.smardigo.digital + repository: smardigo/keycloak + tag: 20.0.2.1 + pullSecrets: + - harbor-pull-secret + debug: true + args: + - "start" + httpRelativePath: "/auth/" + ingress: + enabled: true + hostname: keycloak-prodwork01.smardigo.digital + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + cert-manager.io/issue-temporary-certificate: "true" + nginx.ingress.kubernetes.io/backend-protocol: HTTP + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/ssl-passthrough: "true" + nginx.ingress.kubernetes.io/whitelist-source-range: >- + 212.121.131.106/32,149.233.6.129/32,46.245.219.98/32,164.138.195.162/32,195.201.31.227/32,167.235.150.201/32,167.235.150.198/32,167.235.150.195/32,167.235.150.133/32,167.235.150.197/32,23.88.53.161/32,195.201.113.110/32,5.75.184.216/32,195.201.127.50/32,164.92.251.253/32