Skip to content

Commit

Permalink
🧹 Clean up and condense the keycloak initialization system
Browse files Browse the repository at this point in the history
  • Loading branch information
@ndebuhr
ndebuhr committed Sep 11, 2021
1 parent ddeee9b commit 81038b3
Showing 1 changed file with 98 additions and 164 deletions.
262 changes: 98 additions & 164 deletions helm/templates/keycloak-seeding.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,19 @@
apiVersion: batch/v1
kind: Job
metadata:
name: master-keycloak-init
name: keycloak-init
namespace: {{ .Values.namespace }}
labels:
app: master-keycloak-init
app: keycloak-init
spec:
template:
metadata:
labels:
app: master-keycloak-init
app: keycloak-init
spec:
{{ toYaml .Values.podDefaults | nindent 6 }}
containers:
- name: keycloak-init
initContainers:
- name: master-keycloak-init
image: {{ .Values.docker.registry }}/cloud-native-workstation-keycloak-seeding:{{ .Values.docker.tag }}
imagePullPolicy: Always
command: ["/bin/bash", "-c"]
Expand All @@ -37,53 +37,7 @@ spec:
- name: master-json
mountPath: /etc/master.json
subPath: master.json
volumes:
- name: master-sh
configMap:
name: master-sh
defaultMode: 0555
- name: master-json
configMap:
name: master-json
defaultMode: 0444
restartPolicy: Never
backoffLimit: 32
{{- if eq .Values.policies.enabled true }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: master-keycloak-init
namespace: {{ .Values.namespace }}
spec:
podSelector:
matchLabels:
app: master-keycloak-init
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app: keycloak
{{- end }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: client-scopes-keycloak-init
namespace: {{ .Values.namespace }}
labels:
app: client-scopes-keycloak-init
spec:
template:
metadata:
labels:
app: client-scopes-keycloak-init
spec:
{{ toYaml .Values.podDefaults | nindent 6 }}
containers:
- name: keycloak-init
- name: client-scopes-keycloak-init
image: {{ .Values.docker.registry }}/cloud-native-workstation-keycloak-seeding:{{ .Values.docker.tag }}
imagePullPolicy: Always
command: ["/bin/bash", "-c"]
Expand All @@ -95,18 +49,70 @@ spec:
value: {{ .Values.authentication.username }}
- name: PASSWORD
value: {{ .Values.authentication.password }}
resources: {{- toYaml .Values.components.keycloak.init.resources | nindent 10 }}
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
resources: {{- toYaml .Values.components.keycloak.init.resources | nindent 10 }}
volumeMounts:
- name: client-scopes-sh
mountPath: /opt/client-scopes.sh
subPath: client-scopes.sh
- name: client-scopes-json
mountPath: /etc/client-scopes.json
subPath: client-scopes.json
{{- $root := . }}
{{- range .Values.access }}
- name: {{ .name }}-keycloak-init
image: {{ $root.Values.docker.registry }}/cloud-native-workstation-keycloak-seeding:{{ $root.Values.docker.tag }}
imagePullPolicy: Always
command: ["/bin/bash", "-c"]
args:
- |
/opt/client.sh || exit $?
/opt/protocol-mapper.sh || exit $?
/opt/default-client-scopes.sh || exit $?
env:
- name: USERNAME
value: {{ $root.Values.authentication.username }}
- name: PASSWORD
value: {{ $root.Values.authentication.password }}
resources: {{- toYaml $root.Values.components.keycloak.init.resources | nindent 10 }}
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
volumeMounts:
- name: {{ .name }}-client-sh
mountPath: /opt/client.sh
subPath: client.sh
- name: {{ .name }}-client-json
mountPath: /etc/client.json
subPath: client.json
- name: {{ .name }}-protocol-mapper-sh
mountPath: /opt/protocol-mapper.sh
subPath: protocol-mapper.sh
- name: {{ .name }}-protocol-mapper-json
mountPath: /etc/protocol-mapper.json
subPath: protocol-mapper.json
- name: {{ .name }}-default-client-scopes-sh
mountPath: /opt/default-client-scopes.sh
subPath: default-client-scopes.sh
{{- end }}
containers:
- name: verify
image: {{ $root.Values.docker.registry }}/cloud-native-workstation-keycloak-seeding:{{ $root.Values.docker.tag }}
command: ["/bin/bash", "-c"]
args:
- |
curl http://keycloak:8080
volumes:
- name: master-sh
configMap:
name: master-sh
defaultMode: 0555
- name: master-json
configMap:
name: master-json
defaultMode: 0444
- name: client-scopes-sh
configMap:
name: client-scopes-sh
Expand All @@ -115,19 +121,41 @@ spec:
configMap:
name: client-scopes-json
defaultMode: 0444
{{- range .Values.access }}
- name: {{ .name }}-client-sh
configMap:
name: {{ .name }}-client-sh
defaultMode: 0555
- name: {{ .name }}-client-json
configMap:
name: {{ .name }}-client-json
defaultMode: 0444
- name: {{ .name }}-protocol-mapper-sh
configMap:
name: {{ .name }}-protocol-mapper-sh
defaultMode: 0555
- name: {{ .name }}-protocol-mapper-json
configMap:
name: {{ .name }}-protocol-mapper-json
defaultMode: 0444
- name: {{ .name }}-default-client-scopes-sh
configMap:
name: {{ .name }}-default-client-scopes-sh
defaultMode: 0555
{{- end }}
restartPolicy: Never
backoffLimit: 32
{{- if eq .Values.policies.enabled true }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: client-scopes-keycloak-init
name: keycloak-init
namespace: {{ .Values.namespace }}
spec:
podSelector:
matchLabels:
app: client-scopes-keycloak-init
app: keycloak-init
policyTypes:
- Egress
egress:
Expand All @@ -154,21 +182,6 @@ data:
---
apiVersion: v1
kind: ConfigMap
metadata:
name: client-scopes-sh
namespace: {{ .Values.namespace }}
data:
client-scopes.sh: |
ACCESSTOKEN=$(curl http://keycloak:8080/auth/realms/master/protocol/openid-connect/token \
-d "username=$USERNAME&password=$PASSWORD&grant_type=password&client_id=admin-cli" | jq .access_token | sed 's/"//g')
curl -vv -f -X POST "http://keycloak:8080/auth/admin/realms/master/client-scopes" \
-H "Accept: application/json" \
-H "Authorization: Bearer $ACCESSTOKEN" \
-H "Content-Type: application/json" \
-d @/etc/client-scopes.json
---
apiVersion: v1
kind: ConfigMap
metadata:
name: master-json
namespace: {{ .Values.namespace }}
Expand Down Expand Up @@ -284,6 +297,21 @@ data:
---
apiVersion: v1
kind: ConfigMap
metadata:
name: client-scopes-sh
namespace: {{ .Values.namespace }}
data:
client-scopes.sh: |
ACCESSTOKEN=$(curl http://keycloak:8080/auth/realms/master/protocol/openid-connect/token \
-d "username=$USERNAME&password=$PASSWORD&grant_type=password&client_id=admin-cli" | jq .access_token | sed 's/"//g')
curl -vv -f -X POST "http://keycloak:8080/auth/admin/realms/master/client-scopes" \
-H "Accept: application/json" \
-H "Authorization: Bearer $ACCESSTOKEN" \
-H "Content-Type: application/json" \
-d @/etc/client-scopes.json
---
apiVersion: v1
kind: ConfigMap
metadata:
name: client-scopes-json
namespace: {{ .Values.namespace }}
Expand All @@ -298,102 +326,8 @@ data:
"display.on.consent.screen": "true"
}
}
---
{{- $root := . }}
{{- range .Values.access }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .name }}-keycloak-init
namespace: {{ $root.Values.namespace }}
labels:
app: {{ .name }}-keycloak-init
spec:
template:
metadata:
labels:
app: {{ .name }}-keycloak-init
spec:
{{ toYaml $root.Values.podDefaults | nindent 6 }}
containers:
- name: keycloak-init
image: {{ $root.Values.docker.registry }}/cloud-native-workstation-keycloak-seeding:{{ $root.Values.docker.tag }}
imagePullPolicy: Always
command: ["/bin/bash", "-c"]
args:
- |
/opt/client.sh || exit $?
/opt/protocol-mapper.sh || exit $?
/opt/default-client-scopes.sh || exit $?
env:
- name: USERNAME
value: {{ $root.Values.authentication.username }}
- name: PASSWORD
value: {{ $root.Values.authentication.password }}
resources: {{- toYaml $root.Values.components.keycloak.init.resources | nindent 10 }}
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
volumeMounts:
- name: {{ .name }}-client-sh
mountPath: /opt/client.sh
subPath: client.sh
- name: {{ .name }}-client-json
mountPath: /etc/client.json
subPath: client.json
- name: {{ .name }}-protocol-mapper-sh
mountPath: /opt/protocol-mapper.sh
subPath: protocol-mapper.sh
- name: {{ .name }}-protocol-mapper-json
mountPath: /etc/protocol-mapper.json
subPath: protocol-mapper.json
- name: {{ .name }}-default-client-scopes-sh
mountPath: /opt/default-client-scopes.sh
subPath: default-client-scopes.sh
volumes:
- name: {{ .name }}-client-sh
configMap:
name: {{ .name }}-client-sh
defaultMode: 0555
- name: {{ .name }}-client-json
configMap:
name: {{ .name }}-client-json
defaultMode: 0444
- name: {{ .name }}-protocol-mapper-sh
configMap:
name: {{ .name }}-protocol-mapper-sh
defaultMode: 0555
- name: {{ .name }}-protocol-mapper-json
configMap:
name: {{ .name }}-protocol-mapper-json
defaultMode: 0444
- name: {{ .name }}-default-client-scopes-sh
configMap:
name: {{ .name }}-default-client-scopes-sh
defaultMode: 0555
restartPolicy: Never
backoffLimit: 32
{{- if eq $root.Values.policies.enabled true }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ .name }}-keycloak-init
namespace: {{ $root.Values.namespace }}
spec:
podSelector:
matchLabels:
app: {{ .name }}-keycloak-init
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app: keycloak
{{- end }}
---
apiVersion: v1
kind: ConfigMap
metadata:
Expand Down

0 comments on commit 81038b3

Please sign in to comment.