diff --git a/incubator/keycloak/Chart.yaml b/incubator/keycloak/Chart.yaml index 01634cafe76c..f905a4dbab8e 100644 --- a/incubator/keycloak/Chart.yaml +++ b/incubator/keycloak/Chart.yaml @@ -1,6 +1,6 @@ name: keycloak -version: 0.3.0 -appVersion: 3.4.0.Final +version: 0.4.0 +appVersion: 3.4.3.Final description: Open Source Identity and Access Management For Modern Applications and Services keywords: - authentication diff --git a/incubator/keycloak/README.md b/incubator/keycloak/README.md index 3d58cec6dc24..cb3f81346eb9 100644 --- a/incubator/keycloak/README.md +++ b/incubator/keycloak/README.md @@ -42,21 +42,26 @@ The following table lists the configurable parameters of the Keycloak chart and Parameter | Description | Default --- | --- | --- -`hyperkube.image.repository` | Hyperkube image repository | `quay.io/coreos/hyperkube` -`hyperkube.image.tag` | Hyperkube image tag | `v1.8.1_coreos.0` -`hyperkube.image.pullPolicy` | Hyperkube image pull policy | `IfNotPresent` +`init.image.repository` | Init image repository | `alpine` +`init.image.tag` | Init image tag | `3.6` +`init.image.pullPolicy` | Init image pull policy | `IfNotPresent` `keycloak.replicas` | The number of Keycloak replicas | `1` `keycloak.image.repository` | The Keycloak image repository | `jboss/keycloak` -`keycloak.image.tag` | The Keycloak image tag | `3.4.0.Final` +`keycloak.image.tag` | The Keycloak image tag | `3.4.3.Final` `keycloak.image.pullPolicy` | The Keycloak image pull policy | `IfNotPresent` `keycloak.image.pullSecrets`| Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) | `keycloak.username` | Username for the initial Keycloak admin user | `keycloak` `keycloak.password` | Password for the initial Keycloak admin user. If not set, a random 10 characters password is created | `""` -`keycloak.additionalEnv` | Allows the specification of additional environment variables for Keycloak | `[]` +`keycloak.extraEnv` | Allows the specification of additional environment variables for Keycloak | `[]` +`keycloak.extraVolumeMounts` | Add additional volumes mounts, e. g. for custom themes | `[]` +`keycloak.extraVolumes` | Add additional volumes, e. g. for custom themes | `[]` +`keycloak.podDisruptionBudget` | Pod disruption budget | `{}` `keycloak.resources` | Pod resource requests and limits | `{}` -`keycloak.podAntiAffinity` | Pod anti-affinity (`soft` or `hard`) | `soft` +`keycloak.affinity` | Pod affinity | `` `keycloak.nodeSelector` | Node labels for pod assignment | `{}` `keycloak.tolerations` | Node taints to tolerate | `[]` +`keycloak.securityContext` | Security context for the pod | `{runAsUser: 1000, fsGroup: 1000, runAsNonRoot: true}` +`keycloak.preStartScript` | Custom script to run before Keycloak starts up | `` `keycloak.cli.nodeIdentifier` | WildFly CLI script for setting the node identifier | See `values.yaml` `keycloak.cli.logging` | WildFly CLI script for logging configuration | See `values.yaml` `keycloak.cli.reverseProxy` | WildFly CLI script for reverse proxy configuration | See `values.yaml` @@ -87,9 +92,6 @@ Parameter | Description | Default `postgresql.postgresUser` | The PostgreSQL user (if `keycloak.persistence.deployPostgres=true`) | `keycloak` `postgresql.postgresPassword` | The PostgreSQL password (if `keycloak.persistence.deployPostgres=true`) | `""` `postgresql.postgresDatabase` | The PostgreSQL database (if `keycloak.persistence.deployPostgres=true`) | `keycloak` -`rbac.create` | Specifies whether RBAC resources should be created | `true` -`serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` -`serviceAccount.name` | The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template | `""` `test.image.repository` | Test image repository | `unguiculus/docker-python3-phantomjs-selenium` `test.image.tag` | Test image tag | `v1` `test.image.pullPolicy` | Test image pull policy | `IfNotPresent` @@ -144,7 +146,7 @@ See also: ```yaml keycloak: - additionalEnv: + extraEnv: - name: KEYCLOAK_LOGLEVEL value: : DEBUG - name: WILDFLY_LOGLEVEL diff --git a/incubator/keycloak/templates/NOTES.txt b/incubator/keycloak/templates/NOTES.txt index 353a952ecfad..097cc56d7ca0 100644 --- a/incubator/keycloak/templates/NOTES.txt +++ b/incubator/keycloak/templates/NOTES.txt @@ -1,49 +1,52 @@ -1. Keycloak can be accessed: +Keycloak can be accessed: - * Within your cluster, at the following DNS name at port {{ .Values.keycloak.service.port }}: +* Within your cluster, at the following DNS name at port {{ .Values.keycloak.service.port }}: - {{ template "keycloak.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + {{ template "keycloak.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local {{- if .Values.keycloak.ingress.enabled }} - * From outside the cluster: +* From outside the cluster: - {{- range .Values.keycloak.ingress.hosts }} - - http{{ if $.Values.keycloak.ingress.tls.enabled }}s{{ end }}://{{ . }} - {{- end }} +{{- range .Values.keycloak.ingress.hosts }} + - http{{ if $.Values.keycloak.ingress.tls.enabled }}s{{ end }}://{{ . }} +{{- end }} {{- else }} - * From outside the cluster, run these commands in the same shell: +* From outside the cluster, run these commands in the same shell: - {{- if contains "NodePort" .Values.keycloak.service.type }} +{{- if contains "NodePort" .Values.keycloak.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "keycloak.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "keycloak.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT - {{- else if contains "LoadBalancer" .Values.keycloak.service.type }} +{{- else if contains "LoadBalancer" .Values.keycloak.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ template "keycloak.fullname" . }}' + NOTE: + It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ template "keycloak.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "keycloak.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.keycloak.service.port }} + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "keycloak.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.keycloak.service.port }} - {{- else if contains "ClusterIP" .Values.keycloak.service.type }} +{{- else if contains "ClusterIP" .Values.keycloak.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l app={{ template "keycloak.name" . }},release={{ .Release.Name }} -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use Keycloak" - kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME 8080 + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l app={{ template "keycloak.name" . }},release={{ .Release.Name }} -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use Keycloak" + kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME 8080 - {{- end }} +{{- end }} {{- end }} -2. Login with the following credentials: +{{- if .Release.IsInstall -}} +Login with the following credentials: - Username: {{ .Values.keycloak.username }} +Username: {{ .Values.keycloak.username }} - To retrieve the initial user password run: - kubectl get secret --namespace {{ .Release.Namespace }} {{ template "keycloak.fullname" . }}-http -o jsonpath="{.data.password}" | base64 --decode; echo +To retrieve the initial user password run: +kubectl get secret --namespace {{ .Release.Namespace }} {{ template "keycloak.fullname" . }}-http -o jsonpath="{.data.password}" | base64 --decode; echo +{{- end }} diff --git a/incubator/keycloak/templates/_helpers.tpl b/incubator/keycloak/templates/_helpers.tpl index 978d80171ffe..4b845ed6aabb 100644 --- a/incubator/keycloak/templates/_helpers.tpl +++ b/incubator/keycloak/templates/_helpers.tpl @@ -12,18 +12,31 @@ We truncate to 20 characters because this is used to set the node identifier in 23 characters. This allows for a replica suffix for up to 99 replicas. */}} {{- define "keycloak.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 20 | trimSuffix "-" -}} +{{- else -}} {{- $name := default .Chart.Name .Values.nameOverride -}} -{{- $fullname := printf "%s-%s" $name .Release.Name -}} -{{- default $fullname .Values.fullnameOverride | trunc 20 | trimSuffix "-" -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 20 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 20 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} {{- end -}} {{/* -Create a default fully qualified postgresql name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +Create chart name and version as used by the chart label. +*/}} +{{- define "keycloak.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name for the postgres requirement. */}} {{- define "keycloak.postgresql.fullname" -}} -{{- $name := default "postgresql" .Values.postgresql.nameOverride -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- $postgresContext := dict "Values" .Values.postgresql "Release" .Release "Chart" (dict "Name" "postgresql") -}} +{{ template "postgresql.fullname" $postgresContext }} {{- end -}} {{/* @@ -96,13 +109,3 @@ Create environment variables for database configuration. {{- end }} {{- end -}} -{{/* -Create the name of the service account to use -*/}} -{{- define "keycloak.serviceAccountName" -}} - {{- if .Values.serviceAccount.create -}} - {{ default (include "keycloak.fullname" .) .Values.serviceAccount.name }} - {{- else -}} - {{ default "default" .Values.serviceAccount.name }} - {{- end -}} -{{- end -}} diff --git a/incubator/keycloak/templates/configmap.yaml b/incubator/keycloak/templates/configmap.yaml index 3a266914492c..12899331d082 100644 --- a/incubator/keycloak/templates/configmap.yaml +++ b/incubator/keycloak/templates/configmap.yaml @@ -5,38 +5,10 @@ metadata: name: {{ template "keycloak.fullname" . }} labels: app: {{ template "keycloak.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + chart: {{ template "keycloak.chart" . }} release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" data: -{{- if .Values.keycloak.persistence.deployPostgres }} - wait_for_postgresql.sh: | - #!/usr/bin/env bash - - set -eu - - pod_labels="${1?Please specify PostgreSQL labels}" - max_retries=30 - retry_count=0 - sleep_secs=2 - ready_pods= - - echo 'Polling for PostgreSQL readiness...' - - while [ -z "$ready_pods" ] && [ "$retry_count" -lt "$max_retries" ]; do - ready_pods=$(kubectl get pods -l "$pod_labels" -o jsonpath="{.items[*].status.containerStatuses[?(@.ready==true)].name}") - retry_count=$((retry_count + 1)) - sleep "$sleep_secs" - done - - if [ -z "$ready_pods" ]; then - echo "ERROR: Timeout waiting for PostgreSQL to start up." >&2 - exit 1 - fi - - echo "PostgreSQL ready!" -{{- end }} - keycloak.sh: | #!/usr/bin/env bash @@ -44,13 +16,16 @@ data: /opt/jboss/keycloak/bin/jboss-cli.sh --file=/scripts/keycloak.cli - args=(-b 0.0.0.0{{ if $highAvailability }} --server-config standalone-ha.xml{{ end }}) + {{- with .Values.keycloak.preStartScript }} + echo 'Running custom pre-start script...' +{{ . | indent 4 }} + {{- end }} - exec /opt/jboss/docker-entrypoint.sh "${args[@]}" + exec /opt/jboss/docker-entrypoint.sh -b 0.0.0.0 {{- if $highAvailability }} --server-config standalone-ha.xml{{ end }} exit "$?" keycloak.cli: | - embed-server{{ if $highAvailability }} --server-config=standalone-ha.xml{{ end }} --std-out=echo + embed-server {{- if $highAvailability }} --server-config=standalone-ha.xml{{ end }} --std-out=echo {{- $cli := .Values.keycloak.cli }} @@ -64,8 +39,8 @@ data: {{ $cli.discovery | indent 4 }} {{- end }} -{{- if $cli.custom }} -{{ $cli.custom | indent 4 }} +{{- with $cli.custom }} +{{ . | indent 4 }} {{- end }} stop-embedded-server diff --git a/incubator/keycloak/templates/db-secret.yaml b/incubator/keycloak/templates/db-secret.yaml index edd91687f7a8..c7e726e2066b 100644 --- a/incubator/keycloak/templates/db-secret.yaml +++ b/incubator/keycloak/templates/db-secret.yaml @@ -5,7 +5,7 @@ metadata: name: {{ template "keycloak.fullname" . }}-db labels: app: {{ template "keycloak.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "keycloak.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} type: Opaque diff --git a/incubator/keycloak/templates/headless-service.yaml b/incubator/keycloak/templates/headless-service.yaml index 2890cfe3d908..b67a43341683 100644 --- a/incubator/keycloak/templates/headless-service.yaml +++ b/incubator/keycloak/templates/headless-service.yaml @@ -4,7 +4,7 @@ metadata: name: {{ template "keycloak.fullname" . }}-headless labels: app: {{ template "keycloak.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + chart: {{ template "keycloak.chart" . }} release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" spec: diff --git a/incubator/keycloak/templates/http-service.yaml b/incubator/keycloak/templates/http-service.yaml index 07d8ce791c0f..f02d0c1f0b5a 100644 --- a/incubator/keycloak/templates/http-service.yaml +++ b/incubator/keycloak/templates/http-service.yaml @@ -3,17 +3,17 @@ apiVersion: v1 kind: Service metadata: name: {{ template "keycloak.fullname" . }}-http -{{- if $service.annotations }} +{{- with $service.annotations }} annotations: -{{ toYaml $service.annotations | indent 4 }} +{{ toYaml . | indent 4 }} {{- end }} labels: app: {{ template "keycloak.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + chart: {{ template "keycloak.chart" . }} release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" -{{- if $service.labels }} -{{ toYaml $service.labels | indent 4 }} +{{- with $service.labels }} +{{ toYaml . | indent 4 }} {{- end }} spec: type: {{ $service.type }} diff --git a/incubator/keycloak/templates/ingress.yaml b/incubator/keycloak/templates/ingress.yaml index 48a9698f5a61..1db2bc18111e 100644 --- a/incubator/keycloak/templates/ingress.yaml +++ b/incubator/keycloak/templates/ingress.yaml @@ -4,13 +4,13 @@ apiVersion: extensions/v1beta1 kind: Ingress metadata: name: {{ template "keycloak.fullname" . }} -{{- if $ingress.annotations }} +{{- with $ingress.annotations }} annotations: -{{ toYaml $ingress.annotations | indent 4 }} +{{ toYaml . | indent 4 }} {{- end }} labels: app: {{ template "keycloak.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "keycloak.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} spec: diff --git a/incubator/keycloak/templates/keycloak-secret.yaml b/incubator/keycloak/templates/keycloak-secret.yaml index 12d5051f4f87..ec6701f53fcd 100644 --- a/incubator/keycloak/templates/keycloak-secret.yaml +++ b/incubator/keycloak/templates/keycloak-secret.yaml @@ -1,16 +1,17 @@ + apiVersion: v1 kind: Secret metadata: name: {{ template "keycloak.fullname" . }}-http labels: app: {{ template "keycloak.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + chart: {{ template "keycloak.chart" . }} release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" type: Opaque data: -{{- if .Values.keycloak.password }} - password: {{ .Values.keycloak.password | b64enc | quote }} +{{- with .Values.keycloak.password }} + password: {{ . | b64enc | quote }} {{- else }} password: {{ randAlphaNum 10 | b64enc | quote }} {{- end }} diff --git a/incubator/keycloak/templates/poddisruptionbudget.yaml b/incubator/keycloak/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000000..0ef3caa67f7c --- /dev/null +++ b/incubator/keycloak/templates/poddisruptionbudget.yaml @@ -0,0 +1,17 @@ +{{- if .Values.keycloak.podDisruptionBudget -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + app: {{ template "keycloak.name" . }} + chart: {{ template "keycloak.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "keycloak.fullname" . }} +spec: + selector: + matchLabels: + app: {{ template "keycloak.name" . }} + release: {{ .Release.Name }} +{{ toYaml .Values.keycloak.podDisruptionBudget | indent 2 }} +{{- end -}} diff --git a/incubator/keycloak/templates/rbac.yaml b/incubator/keycloak/templates/rbac.yaml deleted file mode 100644 index 54ed13e49f6d..000000000000 --- a/incubator/keycloak/templates/rbac.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: {{ template "keycloak.fullname" . }} - labels: - app: {{ template "keycloak.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: {{ template "keycloak.fullname" . }} - labels: - app: {{ template "keycloak.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "keycloak.fullname" . }} -subjects: -- kind: ServiceAccount - name: {{ template "keycloak.serviceAccountName" . }} -{{- end -}} diff --git a/incubator/keycloak/templates/serviceaccount.yaml b/incubator/keycloak/templates/serviceaccount.yaml deleted file mode 100644 index d9d5afda9884..000000000000 --- a/incubator/keycloak/templates/serviceaccount.yaml +++ /dev/null @@ -1,11 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "keycloak.serviceAccountName" . }} - labels: - app: {{ template "keycloak.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -{{- end -}} diff --git a/incubator/keycloak/templates/statefulset.yaml b/incubator/keycloak/templates/statefulset.yaml index 1779ddcc150f..b7e862a4ae82 100644 --- a/incubator/keycloak/templates/statefulset.yaml +++ b/incubator/keycloak/templates/statefulset.yaml @@ -6,7 +6,7 @@ metadata: checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} labels: app: {{ template "keycloak.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + chart: {{ template "keycloak.chart" . }} release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" spec: @@ -21,25 +21,28 @@ spec: app: {{ template "keycloak.name" . }} release: "{{ .Release.Name }}" spec: - {{- if .Values.keycloak.image.pullSecrets }} + securityContext: +{{ toYaml .Values.keycloak.securityContext | indent 8 }} + {{- if .Values.keycloak.image.pullSecrets }} imagePullSecrets: {{- range .Values.keycloak.image.pullSecrets }} - name: {{ . }} {{- end}} - {{- end }} - serviceAccountName: {{ template "keycloak.serviceAccountName" . }} + {{- end }} {{- if .Values.keycloak.persistence.deployPostgres }} initContainers: - name: wait-for-postgresql - image: "{{ .Values.hyperkube.image.repository }}:{{ .Values.hyperkube.image.tag }}" - imagePullPolicy: "{{ .Values.hyperkube.image.pullPolicy }}" + image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}" + imagePullPolicy: {{ .Values.init.image.pullPolicy }} command: - - "bash" - - "-c" - - "/scripts/wait_for_postgresql.sh app={{ template "keycloak.postgresql.fullname" . }}" - volumeMounts: - - name: scripts - mountPath: /scripts + - sh + - -c + - | + until printf "." && nc -z -w 2 {{ template "keycloak.postgresql.fullname" . }} {{ .Values.postgresql.service.port }}; do + sleep 2; + done; + + echo 'PostgreSQL OK ✓' {{- end }} containers: - name: {{ .Chart.Name }} @@ -48,6 +51,7 @@ spec: command: - /scripts/keycloak.sh env: + {{- if .Release.IsInstall }} - name: KEYCLOAK_USER value: {{ .Values.keycloak.username }} - name: KEYCLOAK_PASSWORD @@ -55,6 +59,7 @@ spec: secretKeyRef: name: {{ template "keycloak.fullname" . }}-http key: password + {{- end }} {{- if .Values.keycloak.persistence.deployPostgres }} - name: POSTGRES_PORT_5432_TCP_ADDR value: {{ template "keycloak.postgresql.fullname" . }} @@ -70,12 +75,15 @@ spec: {{- else }} {{ include "keycloak.externalDbConfig" . | indent 12 }} {{- end }} -{{- if .Values.keycloak.additionalEnv }} -{{ toYaml .Values.keycloak.additionalEnv | indent 12 }} +{{- with .Values.keycloak.extraEnv }} +{{ toYaml . | indent 12 }} {{- end }} volumeMounts: - name: scripts mountPath: /scripts +{{- with .Values.keycloak.extraVolumeMounts }} +{{ toYaml . | indent 12 }} +{{- end }} ports: - name: http containerPort: 8080 @@ -90,42 +98,28 @@ spec: httpGet: path: /auth/ port: http - initialDelaySeconds: 5 + initialDelaySeconds: 30 timeoutSeconds: 1 resources: {{ toYaml .Values.keycloak.resources | indent 12 }} - {{- if eq .Values.keycloak.podAntiAffinity "hard" }} + {{- with .Values.keycloak.affinity }} affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: "kubernetes.io/hostname" - labelSelector: - matchLabels: - app: "{{ template "keycloak.fullname" . }}" - release: "{{ .Release.Name }}" - {{- else if eq .Values.keycloak.podAntiAffinity "soft" }} - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - app: "{{ template "keycloak.fullname" . }}" - release: "{{ .Release.Name }}" +{{ toYaml . | indent 8 }} {{- end }} - {{- if .Values.keycloak.nodeSelector }} + {{- with .Values.keycloak.nodeSelector }} nodeSelector: -{{ toYaml .Values.keycloak.nodeSelector | indent 8 }} +{{ toYaml . | indent 8 }} {{- end }} - {{- if .Values.keycloak.tolerations }} + {{- with .Values.keycloak.tolerations }} tolerations: -{{ toYaml .Values.keycloak.tolerations | indent 8 }} +{{ toYaml . | indent 8 }} {{- end }} terminationGracePeriodSeconds: 60 volumes: - name: scripts configMap: name: {{ template "keycloak.fullname" . }} - defaultMode: 0755 + defaultMode: 0555 +{{- with .Values.keycloak.extraVolumes }} +{{ toYaml . | indent 8 }} +{{- end }} diff --git a/incubator/keycloak/templates/test/test-configmap.yaml b/incubator/keycloak/templates/test/test-configmap.yaml index 08d2e02e0acd..9a60ab1b06e2 100644 --- a/incubator/keycloak/templates/test/test-configmap.yaml +++ b/incubator/keycloak/templates/test/test-configmap.yaml @@ -4,16 +4,19 @@ metadata: name: {{ template "keycloak.fullname" . }}-test labels: app: {{ template "keycloak.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + chart: {{ template "keycloak.chart" . }} release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" data: test.py: | import os from selenium import webdriver + from selenium.webdriver.common.by import By + from selenium.webdriver.support.ui import WebDriverWait + from selenium.webdriver.support import expected_conditions from urllib.parse import urlparse - print('Creating PhantomJS river...') + print('Creating PhantomJS driver...') driver = webdriver.PhantomJS() base_url = 'http://{{ template "keycloak.fullname" . }}-http{{ if ne 80 (int .Values.keycloak.service.port) }}{{ .Values.keycloak.service.port }}{{ end }}' @@ -24,14 +27,18 @@ data: username = os.environ['KEYCLOAK_USER'] password = os.environ['KEYCLOAK_PASSWORD'] + username_input = WebDriverWait(driver, 30).until(expected_conditions.presence_of_element_located((By.ID, "username"))) + password_input = WebDriverWait(driver, 30).until(expected_conditions.presence_of_element_located((By.ID, "password"))) + login_button = WebDriverWait(driver, 30).until(expected_conditions.presence_of_element_located((By.ID, "kc-login"))) + print('Entering username...') - driver.find_element_by_id('username').send_keys(username) + username_input.send_keys(username) print('Entering password...') - driver.find_element_by_id('password').send_keys(password) + password_input.send_keys(password) print('Clicking login button...') - driver.find_element_by_id('kc-login').click() + login_button.click() current_url = urlparse(driver.current_url) expected_url = urlparse('{0}/auth/admin/master/console/'.format(base_url)) @@ -40,8 +47,8 @@ data: print('Expected URL: {0}'.format(expected_url)) if current_url.path != expected_url.path: - print('Login failed. Current url is not expected url') - exit(1) + print('Login failed. Current url is not expected url') + exit(1) print('URLs match. Login successful.') diff --git a/incubator/keycloak/templates/test/test-pod.yaml b/incubator/keycloak/templates/test/test-pod.yaml index 622bb64723a6..6d9cd45ca383 100644 --- a/incubator/keycloak/templates/test/test-pod.yaml +++ b/incubator/keycloak/templates/test/test-pod.yaml @@ -4,7 +4,7 @@ metadata: name: {{ template "keycloak.fullname" . }}-test labels: app: {{ template "keycloak.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + chart: {{ template "keycloak.chart" . }} release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" annotations: diff --git a/incubator/keycloak/templates/tls-secret.yaml b/incubator/keycloak/templates/tls-secret.yaml index 402ba4259ef5..84440d70f548 100644 --- a/incubator/keycloak/templates/tls-secret.yaml +++ b/incubator/keycloak/templates/tls-secret.yaml @@ -10,7 +10,7 @@ metadata: {{- end }} labels: app: {{ template "keycloak.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} + chart: {{ template "keycloak.chart" . }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} type: Opaque diff --git a/incubator/keycloak/values.yaml b/incubator/keycloak/values.yaml index bdda27ef0908..33089d5c6233 100644 --- a/incubator/keycloak/values.yaml +++ b/incubator/keycloak/values.yaml @@ -1,8 +1,7 @@ -## Used to run 'kubectl' in an init container in order to wait for Postgresql to start up. -hyperkube: +init: image: - repository: quay.io/coreos/hyperkube - tag: v1.8.1_coreos.0 + repository: alpine + tag: 3.6 pullPolicy: IfNotPresent keycloak: @@ -10,7 +9,7 @@ keycloak: image: repository: jboss/keycloak - tag: 3.4.0.Final + tag: 3.4.3.Final pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. @@ -19,6 +18,14 @@ keycloak: # pullSecrets: # - myRegistrKeySecretName + securityContext: + runAsUser: 1000 + fsGroup: 1000 + runAsNonRoot: true + + ## Custom script that is run before Keycloak is started. + preStartScript: + ## Username for the initial Keycloak admin user username: keycloak @@ -27,7 +34,7 @@ keycloak: password: "" ## Allows the specification of additional environment variables for Keycloak - additionalEnv: {} + extraEnv: {} # KEYCLOAK_LOGLEVEL: DEBUG # WILDFLY_LOGLEVEL: DEBUG # CACHE_OWNERS: 2 @@ -102,9 +109,18 @@ keycloak: /interface=private:write-attribute(name=nic, value=eth0) /interface=private:undefine-attribute(name=inet-address) + # Custom CLI script custom: "" + ## Add additional volumes and mounts, e. g. for custom themes + extraVolumes: [] + extraVolumeMounts: [] + + podDisruptionBudget: {} + # maxUnavailable: 1 + # minAvailable: 1 + service: annotations: {} # service.beta.kubernetes.io/aws-load-balancer-internal: "0.0.0.0/0" @@ -187,18 +203,7 @@ postgresql: persistence: ## Enable PostgreSQL persistence using Persistent Volume Claims. ## - enabled: true - -rbac: - # Specifies whether RBAC resources should be created - create: true - -serviceAccount: - # Specifies whether a ServiceAccount should be created - create: true - # The name of the ServiceAccount to use. - # If not set and create is true, a name is generated using the fullname template - name: "" + enabled: false test: image: