[incubator/keycloak] Add miscellaneous improvements

* Update Keycloak to 3.4.3.Final
* Use nc to check for PostgreSQL availability in order to avoid
  RBAC configurations
* Allow additional volumes and mounts to be configured
* Allow custom pre-start script to be configured
* Improve affinity configuration
* Add security context
* Update _helpers.tpl
* Only add environment variables for Keycloak credentials on
  install. They are only needed for creating the intial user.
  This avoids an error in the logs
* Add pod disruption budget
* Make test more robust

incubator/keycloak/Chart.yaml

@@ -1,6 +1,6 @@
 name: keycloak
-version: 0.3.0
-appVersion: 3.4.0.Final
+version: 0.4.0
+appVersion: 3.4.3.Final
 description: Open Source Identity and Access Management For Modern Applications and Services
 keywords:
   - authentication

incubator/keycloak/README.md

@@ -42,21 +42,26 @@ The following table lists the configurable parameters of the Keycloak chart and
 
 Parameter | Description | Default
 --- | --- | ---
-`hyperkube.image.repository` | Hyperkube image repository | `quay.io/coreos/hyperkube`
-`hyperkube.image.tag` | Hyperkube image tag | `v1.8.1_coreos.0`
-`hyperkube.image.pullPolicy` | Hyperkube image pull policy | `IfNotPresent`
+`init.image.repository` | Init image repository | `alpine`
+`init.image.tag` | Init image tag | `3.6`
+`init.image.pullPolicy` | Init image pull policy | `IfNotPresent`
 `keycloak.replicas` | The number of Keycloak replicas | `1`
 `keycloak.image.repository` | The Keycloak image repository | `jboss/keycloak`
-`keycloak.image.tag` | The Keycloak image tag | `3.4.0.Final`
+`keycloak.image.tag` | The Keycloak image tag | `3.4.3.Final`
 `keycloak.image.pullPolicy` | The Keycloak image pull policy | `IfNotPresent`
 `keycloak.image.pullSecrets`| Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) |
 `keycloak.username` | Username for the initial Keycloak admin user | `keycloak`
 `keycloak.password` | Password for the initial Keycloak admin user. If not set, a random 10 characters password is created | `""`
-`keycloak.additionalEnv` | Allows the specification of additional environment variables for Keycloak | `[]`
+`keycloak.extraEnv` | Allows the specification of additional environment variables for Keycloak | `[]`
+`keycloak.extraVolumeMounts` | Add additional volumes mounts, e. g. for custom themes | `[]`
+`keycloak.extraVolumes` | Add additional volumes, e. g. for custom themes | `[]`
+`keycloak.podDisruptionBudget` | Pod disruption budget | `{}`
 `keycloak.resources` | Pod resource requests and limits | `{}`
-`keycloak.podAntiAffinity` | Pod anti-affinity (`soft` or `hard`) | `soft`
+`keycloak.affinity` | Pod affinity | ``
 `keycloak.nodeSelector` | Node labels for pod assignment | `{}`
 `keycloak.tolerations` | Node taints to tolerate | `[]`
+`keycloak.securityContext` | Security context for the pod | `{runAsUser: 1000, fsGroup: 1000, runAsNonRoot: true}`
+`keycloak.preStartScript` | Custom script to run before Keycloak starts up | ``
 `keycloak.cli.nodeIdentifier` | WildFly CLI script for setting the node identifier | See `values.yaml`
 `keycloak.cli.logging` | WildFly CLI script for logging configuration | See `values.yaml`
 `keycloak.cli.reverseProxy` | WildFly CLI script for reverse proxy configuration | See `values.yaml`
@@ -87,9 +92,6 @@ Parameter | Description | Default
 `postgresql.postgresUser` | The PostgreSQL user (if `keycloak.persistence.deployPostgres=true`) | `keycloak`
 `postgresql.postgresPassword` | The PostgreSQL password (if `keycloak.persistence.deployPostgres=true`) | `""`
 `postgresql.postgresDatabase` | The PostgreSQL database (if `keycloak.persistence.deployPostgres=true`) | `keycloak`
-`rbac.create` | Specifies whether RBAC resources should be created | `true`
-`serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true`
-`serviceAccount.name` | The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template | `""`
 `test.image.repository` | Test image repository | `unguiculus/docker-python3-phantomjs-selenium`
 `test.image.tag` | Test image tag | `v1`
 `test.image.pullPolicy` | Test image pull policy | `IfNotPresent`
@@ -144,7 +146,7 @@ See also:
 
 ```yaml
 keycloak:
-  additionalEnv:
+  extraEnv:
     - name: KEYCLOAK_LOGLEVEL
       value: : DEBUG
     - name: WILDFLY_LOGLEVEL

incubator/keycloak/templates/NOTES.txt

@@ -1,49 +1,52 @@
 
-1. Keycloak can be accessed:
+Keycloak can be accessed:
 
-   * Within your cluster, at the following DNS name at port {{ .Values.keycloak.service.port }}:
+* Within your cluster, at the following DNS name at port {{ .Values.keycloak.service.port }}:
 
-     {{ template "keycloak.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
+  {{ template "keycloak.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
 
 {{- if .Values.keycloak.ingress.enabled }}
 
-   * From outside the cluster:
+* From outside the cluster:
 
-    {{- range .Values.keycloak.ingress.hosts }}
-       - http{{ if $.Values.keycloak.ingress.tls.enabled }}s{{ end }}://{{ . }}
-    {{- end }}
+{{- range .Values.keycloak.ingress.hosts }}
+  - http{{ if $.Values.keycloak.ingress.tls.enabled }}s{{ end }}://{{ . }}
+{{- end }}
 
 {{- else }}
 
-   * From outside the cluster, run these commands in the same shell:
+* From outside the cluster, run these commands in the same shell:
 
-  {{- if contains "NodePort" .Values.keycloak.service.type }}
+{{- if contains "NodePort" .Values.keycloak.service.type }}
 
-     export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "keycloak.fullname" . }})
-     export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
-     echo http://$NODE_IP:$NODE_PORT
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "keycloak.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
 
-  {{- else if contains "LoadBalancer" .Values.keycloak.service.type }}
+{{- else if contains "LoadBalancer" .Values.keycloak.service.type }}
 
-      NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-            You can watch the status of by running 'kubectl get svc -w {{ template "keycloak.fullname" . }}'
+  NOTE:
+  It may take a few minutes for the LoadBalancer IP to be available.
+  You can watch the status of by running 'kubectl get svc -w {{ template "keycloak.fullname" . }}'
 
-     export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "keycloak.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-     echo http://$SERVICE_IP:{{ .Values.keycloak.service.port }}
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "keycloak.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+  echo http://$SERVICE_IP:{{ .Values.keycloak.service.port }}
 
-  {{- else if contains "ClusterIP" .Values.keycloak.service.type }}
+{{- else if contains "ClusterIP" .Values.keycloak.service.type }}
 
-     export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l app={{ template "keycloak.name" . }},release={{ .Release.Name }} -o jsonpath="{.items[0].metadata.name}")
-     echo "Visit http://127.0.0.1:8080 to use Keycloak"
-     kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME 8080
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l app={{ template "keycloak.name" . }},release={{ .Release.Name }} -o jsonpath="{.items[0].metadata.name}")
+  echo "Visit http://127.0.0.1:8080 to use Keycloak"
+  kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME 8080
 
-  {{- end }}
+{{- end }}
 
 {{- end }}
 
-2. Login with the following credentials:
+{{- if .Release.IsInstall -}}
+Login with the following credentials:
 
-   Username: {{ .Values.keycloak.username }}
+Username: {{ .Values.keycloak.username }}
 
-   To retrieve the initial user password run:
-   kubectl get secret --namespace {{ .Release.Namespace }} {{ template "keycloak.fullname" . }}-http -o jsonpath="{.data.password}" | base64 --decode; echo
+To retrieve the initial user password run:
+kubectl get secret --namespace {{ .Release.Namespace }} {{ template "keycloak.fullname" . }}-http -o jsonpath="{.data.password}" | base64 --decode; echo
+{{- end }}

incubator/keycloak/templates/_helpers.tpl

@@ -12,18 +12,31 @@ We truncate to 20 characters because this is used to set the node identifier in
 23 characters. This allows for a replica suffix for up to 99 replicas.
 */}}
 {{- define "keycloak.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 20 | trimSuffix "-" -}}
+{{- else -}}
 {{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- $fullname := printf "%s-%s" $name .Release.Name -}}
-{{- default $fullname .Values.fullnameOverride | trunc 20 | trimSuffix "-" -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 20 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 20 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
 {{- end -}}
 
 {{/*
-Create a default fully qualified postgresql name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "keycloak.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name for the postgres requirement.
 */}}
 {{- define "keycloak.postgresql.fullname" -}}
-{{- $name := default "postgresql" .Values.postgresql.nameOverride -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- $postgresContext := dict "Values" .Values.postgresql "Release" .Release "Chart" (dict "Name" "postgresql") -}}
+{{ template "postgresql.fullname" $postgresContext }}
 {{- end -}}
 
 {{/*
@@ -96,13 +109,3 @@ Create environment variables for database configuration.
 {{- end }}
 {{- end -}}
 
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "keycloak.serviceAccountName" -}}
-  {{- if .Values.serviceAccount.create -}}
-      {{ default (include "keycloak.fullname" .) .Values.serviceAccount.name }}
-  {{- else -}}
-      {{ default "default" .Values.serviceAccount.name }}
-  {{- end -}}
-{{- end -}}

incubator/keycloak/templates/configmap.yaml

@@ -5,52 +5,27 @@ metadata:
   name: {{ template "keycloak.fullname" . }}
   labels:
     app: {{ template "keycloak.name" . }}
-    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    chart: {{ template "keycloak.chart" . }}
     release: "{{ .Release.Name }}"
     heritage: "{{ .Release.Service }}"
 data:
-{{- if .Values.keycloak.persistence.deployPostgres }}
-  wait_for_postgresql.sh: |
-    #!/usr/bin/env bash
-
-    set -eu
-
-    pod_labels="${1?Please specify PostgreSQL labels}"
-    max_retries=30
-    retry_count=0
-    sleep_secs=2
-    ready_pods=
-
-    echo 'Polling for PostgreSQL readiness...'
-
-    while [ -z "$ready_pods" ] && [ "$retry_count" -lt "$max_retries" ]; do
-        ready_pods=$(kubectl get pods -l "$pod_labels" -o jsonpath="{.items[*].status.containerStatuses[?(@.ready==true)].name}")
-        retry_count=$((retry_count + 1))
-        sleep "$sleep_secs"
-    done
-
-    if [ -z "$ready_pods" ]; then
-        echo "ERROR: Timeout waiting for PostgreSQL to start up." >&2
-        exit 1
-    fi
-
-    echo "PostgreSQL ready!"
-{{- end }}
-
   keycloak.sh: |
     #!/usr/bin/env bash
 
     set -eu
 
     /opt/jboss/keycloak/bin/jboss-cli.sh --file=/scripts/keycloak.cli
 
-    args=(-b 0.0.0.0{{ if $highAvailability }} --server-config standalone-ha.xml{{ end }})
+  {{- with .Values.keycloak.preStartScript }}
+    echo 'Running custom pre-start script...'
+{{ . | indent 4 }}
+  {{- end }}
 
-    exec /opt/jboss/docker-entrypoint.sh "${args[@]}"
+    exec /opt/jboss/docker-entrypoint.sh -b 0.0.0.0 {{- if $highAvailability }} --server-config standalone-ha.xml{{ end }}
     exit "$?"
 
   keycloak.cli: |
-    embed-server{{ if $highAvailability }} --server-config=standalone-ha.xml{{ end }} --std-out=echo
+    embed-server {{- if $highAvailability }} --server-config=standalone-ha.xml{{ end }} --std-out=echo
 
 {{- $cli := .Values.keycloak.cli }}
 
@@ -64,8 +39,8 @@ data:
 {{ $cli.discovery | indent 4 }}
 {{- end }}
 
-{{- if $cli.custom }}
-{{ $cli.custom | indent 4 }}
+{{- with $cli.custom }}
+{{ . | indent 4 }}
 {{- end }}
 
     stop-embedded-server

incubator/keycloak/templates/db-secret.yaml

@@ -5,7 +5,7 @@ metadata:
   name: {{ template "keycloak.fullname" . }}-db
   labels:
     app: {{ template "keycloak.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    chart: {{ template "keycloak.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
 type: Opaque

incubator/keycloak/templates/headless-service.yaml

@@ -4,7 +4,7 @@ metadata:
   name: {{ template "keycloak.fullname" . }}-headless
   labels:
     app: {{ template "keycloak.name" . }}
-    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    chart: {{ template "keycloak.chart" . }}
     release: "{{ .Release.Name }}"
     heritage: "{{ .Release.Service }}"
 spec:

incubator/keycloak/templates/http-service.yaml

@@ -3,17 +3,17 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ template "keycloak.fullname" . }}-http
-{{- if $service.annotations }}
+{{- with $service.annotations }}
   annotations:
-{{ toYaml $service.annotations | indent 4 }}
+{{ toYaml . | indent 4 }}
 {{- end }}
   labels:
     app: {{ template "keycloak.name" . }}
-    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    chart: {{ template "keycloak.chart" . }}
     release: "{{ .Release.Name }}"
     heritage: "{{ .Release.Service }}"
-{{- if $service.labels }}
-{{ toYaml $service.labels | indent 4 }}
+{{- with $service.labels }}
+{{ toYaml . | indent 4 }}
 {{- end }}
 spec:
   type: {{ $service.type }}

incubator/keycloak/templates/ingress.yaml

@@ -4,13 +4,13 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
   name: {{ template "keycloak.fullname" . }}
-{{- if $ingress.annotations }}
+{{- with $ingress.annotations }}
   annotations:
-{{ toYaml $ingress.annotations | indent 4 }}
+{{ toYaml . | indent 4 }}
 {{- end }}
   labels:
     app: {{ template "keycloak.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    chart: {{ template "keycloak.chart" . }}
     heritage: {{ .Release.Service }}
     release: {{ .Release.Name }}
 spec:

incubator/keycloak/templates/keycloak-secret.yaml

@@ -1,16 +1,17 @@
+
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ template "keycloak.fullname" . }}-http
   labels:
     app: {{ template "keycloak.name" . }}
-    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    chart: {{ template "keycloak.chart" . }}
     release: "{{ .Release.Name }}"
     heritage: "{{ .Release.Service }}"
 type: Opaque
 data:
-{{- if .Values.keycloak.password }}
-  password: {{ .Values.keycloak.password | b64enc | quote }}
+{{- with .Values.keycloak.password }}
+  password: {{ . | b64enc | quote }}
 {{- else }}
   password: {{ randAlphaNum 10 | b64enc | quote }}
 {{- end }}

incubator/keycloak/templates/poddisruptionbudget.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.keycloak.podDisruptionBudget -}}
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  labels:
+    app: {{ template "keycloak.name" . }}
+    chart: {{ template "keycloak.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: {{ template "keycloak.fullname" . }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ template "keycloak.name" . }}
+      release: {{ .Release.Name }}
+{{ toYaml .Values.keycloak.podDisruptionBudget | indent 2 }}
+{{- end -}}