DEV-898: added self frickeled keyscloak stuff due to being not able to get it up and runninng with bitnami helm chart

3 years ago · 264c2992e2
parent 840b7286e1
commit 264c2992e2
12 changed files with 219 additions and 6 deletions
--- a/.helmignore
+++ b/.helmignore
--- a/Chart.yaml
+++ b/Chart.yaml
@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.3
+version: 0.1.5
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/secrets.yaml
+++ b/secrets.yaml
@ -15,14 +15,18 @@ prometheusPgExporter:
        pgHostname: ENC[AES256_GCM,data:Xgl4RtvBuYzmWl+tV8ToJA==,iv:tbS5JBttZIqvB51UpWuyI3JYqSfrqFamgsCVQ2KMiRI=,tag:KgrBmMRch+IcSEeA5vSNuQ==,type:str]
        pgUsername: ENC[AES256_GCM,data:V/8m4/VKT2XTT8ySXpQv/yI=,iv:Ydus78HYDIOi9/9huFTL9GNp9oIRWOLgi/PAtCD8gvU=,tag:hFADQ/wqfLbZNjxNYs/fiA==,type:str]
        pgPassword: ENC[AES256_GCM,data:RPGwtcStH9qcQSaFGncuFwoHMA1A29lnhIuovC3ZB3s=,iv:Ne/3uW3Wy4tuG4IJaqwvz45dmxA5Gw+laicqeLJzLzo=,tag:3epeENbw3HJd69VN2xgVvA==,type:str]
 keycloak:
    auth:
        adminUser: ENC[AES256_GCM,data:+egmbHzbaftvlJE3kPs=,iv:c8yMQu3R9uSMI8vnLbJK30Aa9EgCECydgltJBZBBjxo=,tag:0JSM/QLts0w+B2yPuxlTSw==,type:str]
        adminPassword: ENC[AES256_GCM,data:Rd17pq1ouwsV65wFOiv4lPrHYJg=,iv:TXCzLBfD7AsqsrfN5E341bUANTWmTLvbB91p+0Zs3Tw=,tag:WKW6iRVddxFzrZMDZQMDFg==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2023-03-02T16:15:25Z"
+    lastmodified: "2023-03-02T19:12:40Z"
-    mac: ENC[AES256_GCM,data:WQB3HtUCm7xq4ODhO1vdKXDv8ZIWneJ5ZAa6WZAUsbN3W+r7Iin39eqj9guvSaoUBM5n+QNeQbNV5PoUkujd/jyaUyqKf0x02Ilb8wLJwZAl4EsgloZGBE3J4Sx7m/L8qhy4YYYLKP83KuaI6wWLiKi9usR2bDuCBnt4/N926vI=,iv:83lD9MaBoS20xHzUrtrLgf3PQTwTX924BYu8IKimu+M=,tag:8h53wTt6Ej/qXdIhZWLtjQ==,type:str]
+    mac: ENC[AES256_GCM,data:BOYmdhvmrEMuzEb99rCsWteKiKD7wwjyhQWCKdyrXqQSSCqInQmAL1LfwfwHQNpFRTy8n9T7BHQI4GcHIHH/8hJA9L8uBQcgnvbMaQu4wKH9Q5996692re8Aa1yDPrxvwNVx+36/dlyV8YTFabn7EVjtBFLd92GdjkRl2MkfMMw=,iv:9506PK1Q5TQc9y/RvP/pXVzymHycYzXDH+O9vDqqmuo=,tag:Ct5rMQ3wMJuFWvMxaXjZYQ==,type:str]
    pgp:
        - created_at: "2023-03-02T14:39:34Z"
          enc: |
--- a/templates/.servicemonitor_s3_minio.yaml.swp
+++ b/templates/.servicemonitor_s3_minio.yaml.swp
--- a/templates/keycloak/configMap_env_vars.yaml
+++ b/templates/keycloak/configMap_env_vars.yaml
@ -0,0 +1,10 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: keycloak-cm-envvars
 data:
  KC_LOG_LEVEL: {{ .Values.keycloak.logLevel | default "INFO" }}
  KC_PROXY: edge
  KC_HOSTNAME: "keycloak-prodwork01.smardigo.digital"
  KC_DB: "postgres"
  KC_DB_URL: "jdbc:postgresql://postgres-cluster:5432/keycloak"
--- a/templates/keycloak/deployment_keycloak.yaml
+++ b/templates/keycloak/deployment_keycloak.yaml
@ -0,0 +1,86 @@
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  labels:
    app.kubernetes.io/name: keycloak
  name: keycloak
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: keycloak 
  template:
    metadata:
      labels:
        app.kubernetes.io/name: keycloak
    spec:
      imagePullSecrets:
        - name: harbor-pull-secret
      securityContext: {}
      containers:
        - 
          securityContext:
            runAsUser: 1000
            runAsNonRoot: true
            allowPrivilegeEscalation: False
            capabilities:
              drop: ["ALL"]
          envFrom:
            - configMapRef:
                name: keycloak-cm-envvars 
            - secretRef:
                name: keycloak-secret-envvars
          env:
            - name: KC_DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin.postgres-cluster.credentials.postgresql.acid.zalan.do
                  key: password
            - name: KC_DB_USERNAME
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin.postgres-cluster.credentials.postgresql.acid.zalan.do
                  key: username
            {{- if .Values.keycloak.image.debug }}
            - name: BITNAMI_DEBUG
              value: {{ ternary "true" "false" .Values.keycloak.image.debug | quote }}
            {{- end }}
          ports:
          - name: http
            containerPort: 8080
          - name: https
            containerPort: 8443
          {{- if .Values.keycloak.resources }}
          resources: {{- toYaml .Values.keycloak.resources | nindent 12 }}
          {{- end }}
          readinessProbe:
            httpGet:
              path: {{ .Values.keycloak.httpRelativePath }}realms/master
              port: http
            initialDelaySeconds: 30
            periodSeconds: 1
            timeoutSeconds: 5
            failureThreshold: 3
            successThreshold: 1
          livenessProbe:
            httpGet:
              path: {{ .Values.keycloak.httpRelativePath }}
              port: http
            periodSeconds: 1
            timeoutSeconds: 5
            failureThreshold: 3
            successThreshold: 1
          startupProbe:
            httpGet:
              path: {{ .Values.keycloak.httpRelativePath }}
              port: http
            initialDelaySeconds: 30
            periodSeconds: 5
            timeoutSeconds: 1
            failureThreshold: 60
            successThreshold: 1
          image: {{ .Values.keycloak.image.registry }}/{{ .Values.keycloak.image.repository }}:{{ .Values.keycloak.image.tag }}
          args:
          - "start"
          name: keycloak
--- a/templates/keycloak/ingress.yaml
+++ b/templates/keycloak/ingress.yaml
@ -0,0 +1,26 @@
 {{- if .Values.keycloak.ingress.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  {{- if .Values.keycloak.ingress.annotations }}
  annotations: {{- toYaml .Values.keycloak.ingress.annotations | nindent 6 }}
  {{- end }}
  name: keycloak-ingress
 spec:
  ingressClassName: nginx
  rules:
  - host: {{ .Values.keycloak.ingress.hostname }}
    http:
      paths:
      - backend:
          service:
            name: keycloak
            port:
              name: http
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - {{ .Values.keycloak.ingress.hostname }}
    secretName: keycloak-ingress-cert
 {{- end }}
--- a/templates/keycloak/netpol_ingress-nginx2keycloak.yaml
+++ b/templates/keycloak/netpol_ingress-nginx2keycloak.yaml
@ -0,0 +1,16 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: ingress-nginx2keycloak
 # allow traffic from minio-operator NS to current NS across all ports
 spec:
  ingress: 
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: ingress
  podSelector:
    matchLabels:
      app.kubernetes.io/name: keycloak
  policyTypes:
  - Ingress
--- a/templates/keycloak/secret_env_vars.yaml
+++ b/templates/keycloak/secret_env_vars.yaml
@ -0,0 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: keycloak-secret-envvars
 stringData:
  KEYCLOAK_ADMIN: {{ .Values.keycloak.auth.adminUser | quote }}
  KEYCLOAK_ADMIN_PASSWORD: {{ .Values.keycloak.auth.adminPassword | quote }}
--- a/templates/keycloak/service.yaml
+++ b/templates/keycloak/service.yaml
@ -0,0 +1,14 @@
 apiVersion: v1
 kind: Service
 metadata:
  labels:
    app.kubernetes.io/name: keycloak
  name: keycloak
 spec:
  ports:
  - name: http
    port: 8080
    protocol: TCP
    targetPort: 8080
  selector:
    app.kubernetes.io/name: keycloak
--- a/templates/servicemonitor_s3_minio.yaml
+++ b/templates/servicemonitor_s3_minio.yaml
@ -0,0 +1,27 @@
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: minio
  labels:
    release: kube-prometheus-stack
    v1.min.io/tenant: {{ .Values.tenant.tenant.name }}
 spec:
  jobLabel: minio-{{ .Release.Name }}
  selector:
    matchLabels:
      v1.min.io/tenant: {{ .Values.tenant.tenant.name }}
  endpoints:
    - port: https-minio
      interval: 30s 
      scrapeTimeout: 10s 
      path: /minio/v2/metrics/cluster
      scheme: https
      tlsConfig:
        insecureSkipVerify: true
    - port: https-minio
      interval: 30s 
      scrapeTimeout: 10s 
      path: /minio/v2/metrics/node
      scheme: https
      tlsConfig:
        insecureSkipVerify: true
--- a/values.yaml
+++ b/values.yaml
@ -1,6 +1,6 @@
 global:
  prometheus:
-    release_label: kube-prometheus-stack
+    release_label: &prometheusStackDiscoveryLabel kube-prometheus-stack
 tenant:
  tenant:
@ -72,7 +72,7 @@ postgres:
        basebackup:
          timeThreshold: 86400
          teamLabel: '' # empty but no defined alertmanager receiver => catchall devops-team
-  name: postgres-cluster
+  name: &pg_cluster_name postgres-cluster
  spec:
    teamId: "postgres"
    volume:
@ -83,7 +83,7 @@ postgres:
      - superuser
      - createdb
    databases:
-      keycloak: keycloak_admin
+      keycloak: &database_username keycloak_admin
    preparedDatabases:
      keycloak: {}
    postgresql:
@ -117,3 +117,26 @@ prometheus-postgres-exporter:
    datasourceSecret:
      name: postgres-exporter-database-connection
      key: datasource
 keycloak:
  image:
    registry: prodnso-harbor-01.smardigo.digital
    repository: smardigo/keycloak
    tag: 20.0.2.1
    pullSecrets:
      - harbor-pull-secret
    debug: true
  args:
  - "start"
  httpRelativePath: "/auth/"
  ingress:
    enabled: true
    hostname: keycloak-prodwork01.smardigo.digital
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
      cert-manager.io/issue-temporary-certificate: "true"
      nginx.ingress.kubernetes.io/backend-protocol: HTTP
      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
      nginx.ingress.kubernetes.io/ssl-passthrough: "true"
      nginx.ingress.kubernetes.io/whitelist-source-range: >-
          212.121.131.106/32,149.233.6.129/32,46.245.219.98/32,164.138.195.162/32,195.201.31.227/32,167.235.150.201/32,167.235.150.198/32,167.235.150.195/32,167.235.150.133/32,167.235.150.197/32,23.88.53.161/32,195.201.113.110/32,5.75.184.216/32,195.201.127.50/32,164.92.251.253/32