From 16d722ec7b5bf564b2f7e990ab89fa931baf2097 Mon Sep 17 00:00:00 2001 From: phac008 Date: Sun, 2 Mar 2025 22:16:05 +0100 Subject: [PATCH 01/26] feat: move to keycloak and postgres to official helm Signed-off-by: phac008 --- platform-apps/charts/keycloak/Chart.lock | 9 + platform-apps/charts/keycloak/Chart.yaml | 12 +- .../charts/keycloak/templates/2faflow.yaml | 30 ++-- .../charts/keycloak/templates/configmap.yaml | 29 ---- .../cp-keycloak-backstage-client.yaml | 23 +-- .../templates/cp-keycloak-client-secret.yaml | 14 ++ .../templates/cp-keycloak-clientscope.yaml | 4 +- .../templates/cp-keycloak-cp-secret.yaml | 18 -- ...-keycloak-default-clientroles-grafana.yaml | 18 +- ...ycloak-default-clientscopes-backstage.yaml | 4 +- ...keycloak-default-clientscopes-grafana.yaml | 4 +- ...keycloak-default-clientscopes-pgadmin.yaml | 4 +- ...p-keycloak-default-clientscopes-vault.yaml | 4 +- .../cp-keycloak-externaldb-secret.yaml | 17 ++ .../templates/cp-keycloak-grafana-client.yaml | 31 ++-- .../cp-keycloak-grafana-group-roles.yaml | 84 +-------- .../templates/cp-keycloak-group-roles.yaml | 14 +- .../templates/cp-keycloak-groups.yaml | 16 +- .../templates/cp-keycloak-member.yaml | 14 +- .../templates/cp-keycloak-pgadmin-client.yaml | 23 +-- .../cp-keycloak-protocolmapper-grafana.yaml | 2 +- .../templates/cp-keycloak-protocolmapper.yaml | 2 +- .../keycloak/templates/cp-keycloak-realm.yaml | 13 +- .../templates/cp-keycloak-secret.yaml | 24 +-- .../templates/cp-keycloak-users-secret.yaml | 19 +++ .../keycloak/templates/cp-keycloak-users.yaml | 17 +- .../templates/cp-keycloak-vault-client.yaml | 27 +-- .../keycloak/templates/cp-provider.yaml | 2 +- .../keycloak/templates/cp-providerconfig.yaml | 4 +- .../charts/keycloak/templates/ingress.yaml | 38 ----- .../charts/keycloak/templates/keycloak.yaml | 121 ------------- .../charts/keycloak/templates/postgres.yaml | 61 ------- .../charts/keycloak/templates/pvc.yaml | 13 -- .../charts/keycloak/templates/secrets.yml | 18 -- .../charts/keycloak/templates/xr.yaml | 32 +--- platform-apps/charts/keycloak/values-k3d.yaml | 160 ++++++++++-------- 36 files changed, 281 insertions(+), 644 deletions(-) create mode 100644 platform-apps/charts/keycloak/Chart.lock delete mode 100644 platform-apps/charts/keycloak/templates/configmap.yaml create mode 100644 platform-apps/charts/keycloak/templates/cp-keycloak-client-secret.yaml delete mode 100644 platform-apps/charts/keycloak/templates/cp-keycloak-cp-secret.yaml create mode 100644 platform-apps/charts/keycloak/templates/cp-keycloak-externaldb-secret.yaml create mode 100644 platform-apps/charts/keycloak/templates/cp-keycloak-users-secret.yaml delete mode 100644 platform-apps/charts/keycloak/templates/ingress.yaml delete mode 100644 platform-apps/charts/keycloak/templates/keycloak.yaml delete mode 100644 platform-apps/charts/keycloak/templates/postgres.yaml delete mode 100644 platform-apps/charts/keycloak/templates/pvc.yaml delete mode 100644 platform-apps/charts/keycloak/templates/secrets.yml diff --git a/platform-apps/charts/keycloak/Chart.lock b/platform-apps/charts/keycloak/Chart.lock new file mode 100644 index 000000000..8bcccbc6d --- /dev/null +++ b/platform-apps/charts/keycloak/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: keycloak + repository: https://charts.bitnami.com/bitnami + version: 24.4.10 +- name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 16.4.14 +digest: sha256:59fb1d148bae6ffbd53978756c1c9740f9f4753b30807716b0030ec70509cdd2 +generated: "2025-02-28T13:18:41.658653+01:00" diff --git a/platform-apps/charts/keycloak/Chart.yaml b/platform-apps/charts/keycloak/Chart.yaml index 7e901ec13..e409ed052 100644 --- a/platform-apps/charts/keycloak/Chart.yaml +++ b/platform-apps/charts/keycloak/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: sx-keycloak -description: A local k8s keycloak with postgres db +description: A Helm chart for Kubernetes # A chart can be either an 'application' or a 'library' chart. # @@ -23,3 +23,13 @@ version: 0.1.0 # It is recommended to use it with quotes. appVersion: "1.0.0" +dependencies: + - name: keycloak + alias: keycloak + version: 24.4.10 + repository: https://charts.bitnami.com/bitnami + - name: postgresql + alias: postgresql + version: 16.4.14 + repository: https://charts.bitnami.com/bitnami + condition: postgresql.enabled diff --git a/platform-apps/charts/keycloak/templates/2faflow.yaml b/platform-apps/charts/keycloak/templates/2faflow.yaml index 3ef63fefe..9bebdc069 100644 --- a/platform-apps/charts/keycloak/templates/2faflow.yaml +++ b/platform-apps/charts/keycloak/templates/2faflow.yaml @@ -1,4 +1,4 @@ -{{- if .Values.deployments.keycloak.mfa.enabled }} +{{- if .Values.kubrix.keycloak.mfa.enabled }} apiVersion: role.keycloak.crossplane.io/v1alpha1 kind: Role metadata: @@ -11,11 +11,11 @@ metadata: spec: deletionPolicy: Delete forProvider: - description: "${role_{{ .Values.deployments.keycloak.realm.realmid }}_otprole}" - name: {{ .Values.deployments.keycloak.realm.realmid }}_otprole + description: "${role_{{ .Values.kubrix.keycloak.realm.realmid }}_otprole}" + name: {{ .Values.kubrix.keycloak.realm.realmid }}_otprole realmIdSelector: matchLabels: - platform-engineer.cloud/realm: {{ .Values.deployments.keycloak.realm.realmid }} + platform-engineer.cloud/realm: {{ .Values.kubrix.keycloak.realm.realmid }} providerConfigRef: name: "{{ .Release.Name }}-config" --- @@ -33,7 +33,7 @@ spec: forProvider: realmIdSelector: matchLabels: - platform-engineer.cloud/realm: {{ .Values.deployments.keycloak.realm.realmid }} + platform-engineer.cloud/realm: {{ .Values.kubrix.keycloak.realm.realmid }} alias: browser 2 FA description: browser based authentication providerId: basic-flow @@ -57,7 +57,7 @@ spec: requirement: ALTERNATIVE realmIdSelector: matchLabels: - platform-engineer.cloud/realm: {{ .Values.deployments.keycloak.realm.realmid }} + platform-engineer.cloud/realm: {{ .Values.kubrix.keycloak.realm.realmid }} providerConfigRef: name: "{{ .Release.Name }}-config" --- @@ -77,7 +77,7 @@ spec: platform-engineer.cloud/flow: 2faflow realmIdSelector: matchLabels: - platform-engineer.cloud/realm: {{ .Values.deployments.keycloak.realm.realmid }} + platform-engineer.cloud/realm: {{ .Values.kubrix.keycloak.realm.realmid }} requirement: ALTERNATIVE providerConfigRef: name: "{{ .Release.Name }}-config" @@ -98,7 +98,7 @@ spec: platform-engineer.cloud/flow: 2faflow realmIdSelector: matchLabels: - platform-engineer.cloud/realm: {{ .Values.deployments.keycloak.realm.realmid }} + platform-engineer.cloud/realm: {{ .Values.kubrix.keycloak.realm.realmid }} requirement: REQUIRED providerConfigRef: name: "{{ .Release.Name }}-config" @@ -121,7 +121,7 @@ spec: platform-engineer.cloud/flow: 2faflow realmIdSelector: matchLabels: - platform-engineer.cloud/realm: {{ .Values.deployments.keycloak.realm.realmid }} + platform-engineer.cloud/realm: {{ .Values.kubrix.keycloak.realm.realmid }} requirement: REQUIRED providerConfigRef: name: "{{ .Release.Name }}-config" @@ -138,13 +138,13 @@ spec: alias: conditional otp form config: defaultOtpOutcome: skip - forceOtpRole: {{ .Values.deployments.keycloak.realm.realmid }}_otprole + forceOtpRole: {{ .Values.kubrix.keycloak.realm.realmid }}_otprole executionIdSelector: matchLabels: platform-engineer.cloud/execution: 2fa-ex4 realmIdSelector: matchLabels: - platform-engineer.cloud/realm: {{ .Values.deployments.keycloak.realm.realmid }} + platform-engineer.cloud/realm: {{ .Values.kubrix.keycloak.realm.realmid }} providerConfigRef: name: "{{ .Release.Name }}-config" --- @@ -162,17 +162,17 @@ spec: platform-engineer.cloud/flow: 2faflow realmIdSelector: matchLabels: - platform-engineer.cloud/realm: {{ .Values.deployments.keycloak.realm.realmid }} + platform-engineer.cloud/realm: {{ .Values.kubrix.keycloak.realm.realmid }} providerConfigRef: name: "{{ .Release.Name }}-config" {{- end }} --- -{{- range $group := .Values.deployments.keycloak.realm.groups }} +{{- range $group := .Values.kubrix.keycloak.realm.groups }} {{- if $group.mfa }} apiVersion: group.keycloak.crossplane.io/v1alpha1 kind: Roles metadata: - name: {{ $.Values.deployments.keycloak.backstageclient.config.clientID }}-{{ $group.name }}-2fa-roles + name: backstage-{{ $group.name }}-2fa-roles annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "1" @@ -184,7 +184,7 @@ spec: roleIdsSelector: matchLabels: platform-engineer.cloud/role: 2faotprole - realmId: {{ $.Values.deployments.keycloak.realm.realmid }} + realmId: {{ $.Values.kubrix.keycloak.realm.realmid }} providerConfigRef: name: "{{ $.Release.Name }}-config" --- diff --git a/platform-apps/charts/keycloak/templates/configmap.yaml b/platform-apps/charts/keycloak/templates/configmap.yaml deleted file mode 100644 index 075362078..000000000 --- a/platform-apps/charts/keycloak/templates/configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: keycloak-configmap -data: - kubrix.realm.json: |- -{{ .Files.Get "realmsettings/kubrix.realm.json" | indent 4}} - poststart.sh: |- - #!/bin/bash - # - # Bootstrap Backstage Client - # - ###### MAIN ###################### - # create crossplane client with admin role -- currently not possible with crossplane only ... - - sleepSeconds="${1:-60}" - echo "going to wait for initialization/stabilization of server, sleeping for $sleepSeconds" - sleep $sleepSeconds - - cd /opt/keycloak/bin - - # login - ./kcadm.sh config credentials --realm master --user admin --password admin --server http://0.0.0.0:8080 - ./kcadm.sh create clients -r master -s serviceAccountsEnabled=true -s clientId=crossplane -s enabled=true -s secret=demosecret - ./kcadm.sh add-roles --uusername service-account-crossplane --rolename admin -r master - ./kcadm.sh update events/config -r master -s enabledEventTypes=[] - ./kcadm.sh update events/config -r master -s adminEventsEnabled=true -s adminEventsDetailsEnabled=true - - exit 0 diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-backstage-client.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-backstage-client.yaml index 04a5d50c4..6cdbcd73f 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-backstage-client.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-backstage-client.yaml @@ -1,17 +1,8 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ .Release.Name }}-client-{{ .Values.deployments.keycloak.backstageclient.config.clientID }}-password" -type: Opaque -stringData: - {{ .Values.deployments.keycloak.backstageclient.config.clientID }}: {{ .Values.deployments.keycloak.backstageclient.config.clientSecret }} - --- apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 kind: Client metadata: - name: {{ .Values.deployments.keycloak.backstageclient.config.clientID }} + name: backstage annotations: argocd.argoproj.io/sync-wave: "1" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true @@ -19,19 +10,19 @@ spec: deletionPolicy: Delete forProvider: accessType: CONFIDENTIAL - clientId: {{ .Values.deployments.keycloak.backstageclient.config.clientID }} - name: {{ .Values.deployments.keycloak.backstageclient.config.clientID }} - realmId: {{ .Values.deployments.keycloak.realm.realmid }} + clientId: backstage + name: backstage + realmId: {{ .Values.kubrix.keycloak.realm.realmid }} directAccessGrantsEnabled: false standardFlowEnabled: true serviceAccountsEnabled: true # managementPolicies: ["Observe"] validRedirectUris: - "http://localhost:7007/api/auth/oidc/handler/frame" - - "https://backstage{{ .Values.deployments.ingress.fqdn }}/api/auth/oidc/handler/frame" + - "https://backstage{{ .Values.kubrix.keycloak.fqdn }}/api/auth/oidc/handler/frame" clientSecretSecretRef: - key: {{ .Values.deployments.keycloak.backstageclient.config.clientID }} - name: "{{ .Release.Name }}-client-{{ .Values.deployments.keycloak.backstageclient.config.clientID }}-password" + key: backstage + name: keycloak-client-credentials namespace: {{ .Release.Namespace }} loginTheme: keycloak providerConfigRef: diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-client-secret.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-client-secret.yaml new file mode 100644 index 000000000..104c2e084 --- /dev/null +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-client-secret.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-client-credentials + annotations: + argocd.argoproj.io/sync-wave: "-9" +type: Opaque +stringData: + # clientsecret for keycloak clients + backstage: "demosecret" + grafana: "demosecret" + vault: "demosecret" + pgadmin: "demosecret" \ No newline at end of file diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-clientscope.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-clientscope.yaml index 8d1cb4cf6..a58feebfe 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-clientscope.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-clientscope.yaml @@ -15,7 +15,7 @@ spec: includeInTokenScope: true name: groups realmIdRef: - name: {{ $.Values.deployments.keycloak.realm.realmid }} + name: {{ $.Values.kubrix.keycloak.realm.realmid }} providerConfigRef: name: "{{ .Release.Name }}-config" --- @@ -36,6 +36,6 @@ spec: includeInTokenScope: true name: openid realmIdRef: - name: {{ $.Values.deployments.keycloak.realm.realmid }} + name: {{ $.Values.kubrix.keycloak.realm.realmid }} providerConfigRef: name: "{{ .Release.Name }}-config" \ No newline at end of file diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-cp-secret.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-cp-secret.yaml deleted file mode 100644 index ad02c7b48..000000000 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-cp-secret.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: keycloak-credentials-cp - namespace: crossplane - labels: - type: provider-credentials -type: Opaque -stringData: - credentials: | - { - "client_id":"crossplane", - "client_secret":"demosecret", - "url":"http://keycloak-service.keycloak.svc.cluster.local:8080", - "realm":"master", - "base_Path":"/" - } ---- diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientroles-grafana.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientroles-grafana.yaml index 4fdceaeaf..d740543c2 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientroles-grafana.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientroles-grafana.yaml @@ -5,16 +5,16 @@ metadata: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "1" labels: - platform-engineer.cloud/role: viewer + platform-engineer.cloud/role: grafana-viewer name: client-default-role-grafana-viewer spec: forProvider: clientIdRef: - name: {{ .Values.deployments.keycloak.grafanaclient.config.clientID }} + name: grafana name: viewer description: viewer role for grafana realmIdRef: - name: {{ $.Values.deployments.keycloak.realm.realmid }} + name: {{ $.Values.kubrix.keycloak.realm.realmid }} providerConfigRef: name: "{{ .Release.Name }}-config" --- @@ -25,16 +25,16 @@ metadata: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "1" labels: - platform-engineer.cloud/role: editor + platform-engineer.cloud/role: grafana-editor name: client-default-role-grafana-editor spec: forProvider: clientIdRef: - name: {{ .Values.deployments.keycloak.grafanaclient.config.clientID }} + name: grafana name: editor description: editor role for grafana realmIdRef: - name: {{ $.Values.deployments.keycloak.realm.realmid }} + name: {{ $.Values.kubrix.keycloak.realm.realmid }} providerConfigRef: name: "{{ .Release.Name }}-config" --- @@ -45,15 +45,15 @@ metadata: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "1" labels: - platform-engineer.cloud/role: admin + platform-engineer.cloud/role: grafana-admin name: client-default-role-grafana-admin spec: forProvider: clientIdRef: - name: {{ .Values.deployments.keycloak.grafanaclient.config.clientID }} + name: grafana name: admin description: admin role for grafana realmIdRef: - name: {{ $.Values.deployments.keycloak.realm.realmid }} + name: {{ $.Values.kubrix.keycloak.realm.realmid }} providerConfigRef: name: "{{ .Release.Name }}-config" \ No newline at end of file diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-backstage.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-backstage.yaml index 607c092b7..2b0d98afa 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-backstage.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-backstage.yaml @@ -8,7 +8,7 @@ metadata: spec: forProvider: clientIdRef: - name: {{ .Values.deployments.keycloak.backstageclient.config.clientID }} + name: backstage defaultScopes: - profile - email @@ -17,6 +17,6 @@ spec: - groups - acr realmIdRef: - name: {{ $.Values.deployments.keycloak.realm.realmid }} + name: {{ $.Values.kubrix.keycloak.realm.realmid }} providerConfigRef: name: "{{ .Release.Name }}-config" diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-grafana.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-grafana.yaml index 4c98899e7..b19019a5a 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-grafana.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-grafana.yaml @@ -8,7 +8,7 @@ metadata: spec: forProvider: clientIdRef: - name: {{ .Values.deployments.keycloak.grafanaclient.config.clientID }} + name: grafana defaultScopes: - profile - email @@ -18,6 +18,6 @@ spec: - acr - openid realmIdRef: - name: {{ $.Values.deployments.keycloak.realm.realmid }} + name: {{ $.Values.kubrix.keycloak.realm.realmid }} providerConfigRef: name: "{{ .Release.Name }}-config" diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-pgadmin.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-pgadmin.yaml index 87a04fabd..e2e221496 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-pgadmin.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-pgadmin.yaml @@ -8,7 +8,7 @@ metadata: spec: forProvider: clientIdRef: - name: {{ .Values.deployments.keycloak.pgadminclient.config.clientID }} + name: pgadmin defaultScopes: - profile - email @@ -17,6 +17,6 @@ spec: - groups - acr realmIdRef: - name: {{ $.Values.deployments.keycloak.realm.realmid }} + name: {{ $.Values.kubrix.keycloak.realm.realmid }} providerConfigRef: name: "{{ .Release.Name }}-config" diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml index 2bbe4e460..6091b8608 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml @@ -8,7 +8,7 @@ metadata: spec: forProvider: clientIdRef: - name: {{ .Values.deployments.keycloak.vaultclient.config.clientID }} + name: vault defaultScopes: - profile - email @@ -18,6 +18,6 @@ spec: - acr - openid realmIdRef: - name: {{ $.Values.deployments.keycloak.realm.realmid }} + name: {{ $.Values.kubrix.keycloak.realm.realmid }} providerConfigRef: name: "{{ .Release.Name }}-config" diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-externaldb-secret.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-externaldb-secret.yaml new file mode 100644 index 000000000..42919e510 --- /dev/null +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-externaldb-secret.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: cp-keycloak-externaldb-secret + annotations: + argocd.argoproj.io/sync-wave: "-9" + labels: + type: externaldb-credentials +type: Opaque +stringData: + HOST: "sx-keycloak2-postgresql-hl.keycloak2.svc.cluster.local" + PORT: "5432" + POSTGRES_USER: "keycloak" + POSTGRES_DATABASE: "postgres" + POSTGRES_PASSWORD: "keycloak" + POSTGRES_ADMIN: "keycloak" \ No newline at end of file diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-client.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-client.yaml index 873e098a9..646bfb99e 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-client.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-client.yaml @@ -1,17 +1,8 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ .Release.Name }}-client-{{ .Values.deployments.keycloak.grafanaclient.config.clientID }}-password" -type: Opaque -stringData: - {{ .Values.deployments.keycloak.grafanaclient.config.clientID }}: {{ .Values.deployments.keycloak.grafanaclient.config.clientSecret }} - --- apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 kind: Client metadata: - name: {{ .Values.deployments.keycloak.grafanaclient.config.clientID }} + name: grafana annotations: argocd.argoproj.io/sync-wave: "1" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true @@ -19,23 +10,23 @@ spec: deletionPolicy: Delete forProvider: accessType: CONFIDENTIAL - clientId: {{ .Values.deployments.keycloak.grafanaclient.config.clientID }} - name: {{ .Values.deployments.keycloak.grafanaclient.config.clientID }} - realmId: {{ .Values.deployments.keycloak.realm.realmid }} - adminUrl: "https://grafana{{ .Values.deployments.ingress.fqdn }}" - rootUrl: "https://grafana{{ .Values.deployments.ingress.fqdn }}" + clientId: grafana + name: grafana + realmId: {{ .Values.kubrix.keycloak.realm.realmid }} + adminUrl: "https://grafana{{ .Values.kubrix.keycloak.fqdn }}" + rootUrl: "https://grafana{{ .Values.kubrix.keycloak.fqdn }}" webOrigins: - - "https://grafana{{ .Values.deployments.ingress.fqdn }}" + - "https://grafana{{ .Values.kubrix.keycloak.fqdn }}" directAccessGrantsEnabled: true standardFlowEnabled: true serviceAccountsEnabled: false # managementPolicies: ["Observe"] validRedirectUris: - # - "http://grafana{{ .Values.deployments.ingress.fqdn }}:3000/login/generic_oauth" - - "https://grafana{{ .Values.deployments.ingress.fqdn }}/login/generic_oauth" + # - "http://grafana{{ .Values.kubrix.keycloak.fqdn }}:3000/login/generic_oauth" + - "https://grafana{{ .Values.kubrix.keycloak.fqdn }}/login/generic_oauth" clientSecretSecretRef: - key: {{ .Values.deployments.keycloak.grafanaclient.config.clientID }} - name: "{{ .Release.Name }}-client-{{ .Values.deployments.keycloak.grafanaclient.config.clientID }}-password" + key: grafana + name: keycloak-client-credentials namespace: {{ .Release.Namespace }} loginTheme: keycloak providerConfigRef: diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml index 49b39d0ef..1f7d5dacc 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml @@ -1,79 +1,10 @@ -apiVersion: group.keycloak.crossplane.io/v1alpha1 -kind: Roles -metadata: - name: {{ .Values.deployments.keycloak.grafanaclient.config.clientID }}-grafana-group-roles - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" -spec: - deletionPolicy: Delete - forProvider: - exhaustive: false - groupIdRef: - name: admins - realmIdRef: - name: {{ .Values.deployments.keycloak.realm.realmid }} - roleIdsSelector: - matchLabels: - platform-engineer.cloud/role: admin - initProvider: {} - managementPolicies: - - '*' - providerConfigRef: - name: sx-keycloak-config ---- -apiVersion: group.keycloak.crossplane.io/v1alpha1 -kind: Roles -metadata: - name: {{ .Values.deployments.keycloak.grafanaclient.config.clientID }}-grafana-group-roles-viewer - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" -spec: - deletionPolicy: Delete - forProvider: - exhaustive: false - groupIdRef: - name: users - realmIdRef: - name: {{ .Values.deployments.keycloak.realm.realmid }} - roleIdsSelector: - matchLabels: - platform-engineer.cloud/role: editor - initProvider: {} - managementPolicies: - - '*' - providerConfigRef: - name: sx-keycloak-config ---- -apiVersion: group.keycloak.crossplane.io/v1alpha1 -kind: Roles -metadata: - name: {{ .Values.deployments.keycloak.grafanaclient.config.clientID }}-grafana-group-roles-viewer-team1 - annotations: - argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" -spec: - deletionPolicy: Delete - forProvider: - exhaustive: false - groupIdRef: - name: team1 - realmIdRef: - name: {{ .Values.deployments.keycloak.realm.realmid }} - roleIdsSelector: - matchLabels: - platform-engineer.cloud/role: viewer - initProvider: {} - managementPolicies: - - '*' - providerConfigRef: - name: sx-keycloak-config +{{- range $group := .Values.kubrix.keycloak.realm.groups }} +{{- range $role := $group.roles }} --- apiVersion: group.keycloak.crossplane.io/v1alpha1 kind: Roles metadata: - name: {{ .Values.deployments.keycloak.grafanaclient.config.clientID }}-grafana-group-roles-viewer-team-a + name: grafana-group-roles-{{ $group.name }}-{{ $role }} annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "1" @@ -82,15 +13,16 @@ spec: forProvider: exhaustive: false groupIdRef: - name: team-a + name: {{ $group.name }} realmIdRef: - name: {{ .Values.deployments.keycloak.realm.realmid }} + name: {{ $.Values.kubrix.keycloak.realm.realmid }} roleIdsSelector: matchLabels: - platform-engineer.cloud/role: viewer + platform-engineer.cloud/role: {{ $role }} initProvider: {} managementPolicies: - '*' providerConfigRef: name: sx-keycloak-config ---- \ No newline at end of file +{{- end }} +{{- end }} diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-group-roles.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-group-roles.yaml index 09bc6e669..9925291d9 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-group-roles.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-group-roles.yaml @@ -1,7 +1,7 @@ apiVersion: group.keycloak.crossplane.io/v1alpha1 kind: Roles metadata: - name: {{ .Values.deployments.keycloak.backstageclient.config.clientID }}-default-group-roles + name: backstage-default-group-roles annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "1" @@ -10,17 +10,17 @@ spec: forProvider: exhaustive: false groupIdRef: - name: {{ .Values.deployments.keycloak.backstageclient.config.clientID }}-admin + name: backstage-admin realmIdRef: - name: {{ .Values.deployments.keycloak.realm.realmid }} + name: {{ .Values.kubrix.keycloak.realm.realmid }} roleIdsRefs: - - name: builtin-{{ .Values.deployments.keycloak.realm.realmid }}-realm-management-view-users - - name: builtin-{{ .Values.deployments.keycloak.realm.realmid }}-realm-management-query-groups - - name: builtin-{{ .Values.deployments.keycloak.realm.realmid }}-realm-management-query-users + - name: builtin-{{ .Values.kubrix.keycloak.realm.realmid }}-realm-management-view-users + - name: builtin-{{ .Values.kubrix.keycloak.realm.realmid }}-realm-management-query-groups + - name: builtin-{{ .Values.kubrix.keycloak.realm.realmid }}-realm-management-query-users roleIdsSelector: matchLabels: defaultRole: 'true' - realmName: {{ .Values.deployments.keycloak.realm.realmid }} + realmName: {{ .Values.kubrix.keycloak.realm.realmid }} initProvider: {} managementPolicies: - '*' diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-groups.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-groups.yaml index fa7fd78b3..547330653 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-groups.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-groups.yaml @@ -1,4 +1,4 @@ -{{- range $group := .Values.deployments.keycloak.realm.groups }} +{{- range $group := .Values.kubrix.keycloak.realm.groups }} --- apiVersion: group.keycloak.crossplane.io/v1alpha1 kind: Group @@ -9,21 +9,9 @@ metadata: argocd.argoproj.io/sync-wave: "1" spec: forProvider: - realmId: {{ $.Values.deployments.keycloak.realm.realmid }} + realmId: {{ $.Values.kubrix.keycloak.realm.realmid }} name: {{ $group.name }} deletionPolicy: "Delete" providerConfigRef: name: "{{ $.Release.Name }}-config" {{- end }} -#--- -#apiVersion: group.keycloak.crossplane.io/v1alpha1 -#kind: Group -#metadata: -# name: crossplane-admin -#spec: -# forProvider: -# realmId: master -# name: crossplane-admin -# deletionPolicy: "Delete" -# providerConfigRef: -# name: "{{ $.Release.Name }}-config" diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-member.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-member.yaml index 3776cae40..f731792c9 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-member.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-member.yaml @@ -1,26 +1,26 @@ apiVersion: group.keycloak.crossplane.io/v1alpha1 kind: Memberships metadata: - name: {{ .Values.deployments.keycloak.backstageclient.config.clientID }}-admin-memberships + name: backstage-admin-memberships annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "1" spec: forProvider: groupIdRef: - name: {{ .Values.deployments.keycloak.backstageclient.config.clientID }}-admin + name: backstage-admin members: - - service-account-{{ .Values.deployments.keycloak.backstageclient.config.clientID }} - realmId: {{ .Values.deployments.keycloak.realm.realmid }} + - service-account-backstage + realmId: {{ .Values.kubrix.keycloak.realm.realmid }} providerConfigRef: name: "{{ .Release.Name }}-config" --- -{{- range $group := .Values.deployments.keycloak.realm.groups }} +{{- range $group := .Values.kubrix.keycloak.realm.groups }} {{- if $group.members }} apiVersion: group.keycloak.crossplane.io/v1alpha1 kind: Memberships metadata: - name: {{ $.Values.deployments.keycloak.backstageclient.config.clientID }}-{{ $group.name }}-users-memberships + name: backstage-{{ $group.name }}-users-memberships annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "1" @@ -32,7 +32,7 @@ spec: {{- range $member := $group.members }} - {{ $member }} {{- end }} - realmId: {{ $.Values.deployments.keycloak.realm.realmid }} + realmId: {{ $.Values.kubrix.keycloak.realm.realmid }} providerConfigRef: name: "{{ $.Release.Name }}-config" --- diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-pgadmin-client.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-pgadmin-client.yaml index 571f67a20..b9ff331fa 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-pgadmin-client.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-pgadmin-client.yaml @@ -1,17 +1,8 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ .Release.Name }}-client-{{ .Values.deployments.keycloak.pgadminclient.config.clientID }}-password" -type: Opaque -stringData: - {{ .Values.deployments.keycloak.pgadminclient.config.clientID }}: {{ .Values.deployments.keycloak.pgadminclient.config.clientSecret }} - --- apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 kind: Client metadata: - name: {{ .Values.deployments.keycloak.pgadminclient.config.clientID }} + name: pgadmin annotations: argocd.argoproj.io/sync-wave: "1" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true @@ -19,19 +10,19 @@ spec: deletionPolicy: Delete forProvider: accessType: CONFIDENTIAL - clientId: {{ .Values.deployments.keycloak.pgadminclient.config.clientID }} - name: {{ .Values.deployments.keycloak.pgadminclient.config.clientID }} - realmId: {{ .Values.deployments.keycloak.realm.realmid }} + clientId: pgadmin + name: pgadmin + realmId: {{ .Values.kubrix.keycloak.realm.realmid }} directAccessGrantsEnabled: false standardFlowEnabled: true serviceAccountsEnabled: true # managementPolicies: ["Observe"] validRedirectUris: - "http://localhost:7007/api/auth/oidc/handler/frame" - - "https://pgadmin{{ .Values.deployments.ingress.fqdn }}/oauth2/authorize" + - "https://pgadmin{{ .Values.kubrix.keycloak.fqdn }}/oauth2/authorize" clientSecretSecretRef: - key: {{ .Values.deployments.keycloak.pgadminclient.config.clientID }} - name: "{{ .Release.Name }}-client-{{ .Values.deployments.keycloak.pgadminclient.config.clientID }}-password" + key: pgadmin + name: keycloak-client-credentials namespace: {{ .Release.Namespace }} loginTheme: keycloak providerConfigRef: diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-protocolmapper-grafana.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-protocolmapper-grafana.yaml index fadaa11ec..39e2e4a1a 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-protocolmapper-grafana.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-protocolmapper-grafana.yaml @@ -11,7 +11,7 @@ spec: matchLabels: platform-engineer.cloud/clientscope: groups realmIdRef: - name: {{ $.Values.deployments.keycloak.realm.realmid }} + name: {{ $.Values.kubrix.keycloak.realm.realmid }} protocol: openid-connect protocolMapper: oidc-usermodel-client-role-mapper name: grafana_role diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-protocolmapper.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-protocolmapper.yaml index 17e7609f6..428710b81 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-protocolmapper.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-protocolmapper.yaml @@ -11,7 +11,7 @@ spec: matchLabels: platform-engineer.cloud/clientscope: groups realmIdRef: - name: {{ $.Values.deployments.keycloak.realm.realmid }} + name: {{ $.Values.kubrix.keycloak.realm.realmid }} protocol: openid-connect protocolMapper: oidc-group-membership-mapper name: groups diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-realm.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-realm.yaml index 6e01d17fe..ffe08dbcd 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-realm.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-realm.yaml @@ -2,19 +2,18 @@ apiVersion: realm.keycloak.crossplane.io/v1alpha1 kind: Realm metadata: - name: {{ .Values.deployments.keycloak.realm.realmid }} + name: {{ .Values.kubrix.keycloak.realm.realmid }} labels: - platform-engineer.cloud/realm: {{ .Values.deployments.keycloak.realm.realmid }} + platform-engineer.cloud/realm: {{ .Values.kubrix.keycloak.realm.realmid }} annotations: - link.argocd.argoproj.io/external-link: https://{{ .Values.deployments.ingress.host }}/admin/master/console/#/{{ .Values.deployments.keycloak.realm.realmid }} + link.argocd.argoproj.io/external-link: https://keycloak{{ .Values.kubrix.keycloak.fqdn }}/admin/master/console/#/{{ .Values.kubrix.keycloak.realm.realmid }} argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" spec: forProvider: - realm: {{ .Values.deployments.keycloak.realm.realmid }} - displayName: {{ .Values.deployments.keycloak.realm.realmid }} + realm: {{ .Values.kubrix.keycloak.realm.realmid }} + displayName: {{ .Values.kubrix.keycloak.realm.realmid }} attributes: - frontendUrl: https://keycloak{{ .Values.deployments.ingress.fqdn }} + frontendUrl: https://keycloak{{ .Values.kubrix.keycloak.fqdn }} deletionPolicy: "Delete" providerConfigRef: name: "{{ .Release.Name }}-config" diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-secret.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-secret.yaml index 7572d5e67..4cf68ec4f 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-secret.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-secret.yaml @@ -2,17 +2,21 @@ apiVersion: v1 kind: Secret metadata: - name: "{{ .Release.Name }}-credentials" + name: keycloak-credentials annotations: argocd.argoproj.io/sync-wave: "-9" + labels: + type: provider-credentials type: Opaque stringData: - keycloak-credentials: | - { - "username":{{ .Values.secrets.keycloak.admin.name | quote }}, - "client_id": "admin-cli", - "password":{{ .Values.secrets.keycloak.admin.password | quote }}, - "url": "http://{{ .Values.deployments.keycloak.service.name }}.{{ .Release.Namespace }}.svc.cluster.local:8080", - "realm": "master", - "tls_insecure_skip_verify": "true" - } + # adminUser: "admin" # delete! + admin-password: "admin1" + # crossplane provider + # used for crossplane provider and MUST be the same as adminUser from values file + username: "admin" + # used for crossplane provider and MUST be the same as adminPassword + password: "admin1" + url: "http://{{ .Release.Name }}-headless.{{ .Release.Namespace }}.svc.cluster.local:8080" + client_id: "admin-cli" + realm: "master" + tls_insecure_skip_verify: "true" \ No newline at end of file diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-users-secret.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-users-secret.yaml new file mode 100644 index 000000000..e05cf61ba --- /dev/null +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-users-secret.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: cp-keycloak-user-secret + annotations: + argocd.argoproj.io/sync-wave: "-9" + labels: + type: user-credentials +type: Opaque +stringData: + # must match users from values file + phac: "test" + jokl: "test" + backstageadmin: "test" + demouser: "test" + demouser: "test" + demoadmin: "test" + team1user: "test" diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-users.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-users.yaml index d2f23d0b2..e8e2b3462 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-users.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-users.yaml @@ -1,15 +1,4 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ .Release.Name }}-initial-passwords" -type: Opaque -stringData: - {{- range $user := $.Values.deployments.keycloak.realm.users }} - {{$user.name}}: {{$user.password}} - {{- end }} - -{{- range $user := .Values.deployments.keycloak.realm.users }} +{{- range $user := .Values.kubrix.keycloak.realm.users }} --- apiVersion: user.keycloak.crossplane.io/v1alpha1 kind: User @@ -20,7 +9,7 @@ metadata: argocd.argoproj.io/sync-wave: "1" spec: forProvider: - realmId: {{ $.Values.deployments.keycloak.realm.realmid }} + realmId: {{ $.Values.kubrix.keycloak.realm.realmid }} username: {{ $user.name }} enabled: true emailVerified: true @@ -29,7 +18,7 @@ spec: email: {{ $user.email }} initialPassword: - valueSecretRef: - name: "{{ $.Release.Name }}-initial-passwords" + name: "cp-keycloak-users-secret" key: {{ $user.name }} namespace: {{ $.Release.Namespace }} temporary: false # should be set to true in production diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-vault-client.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-vault-client.yaml index f8e8b5bdc..2bffa4612 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-vault-client.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-vault-client.yaml @@ -1,17 +1,8 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ .Release.Name }}-client-{{ .Values.deployments.keycloak.vaultclient.config.clientID }}-password" -type: Opaque -stringData: - {{ .Values.deployments.keycloak.vaultclient.config.clientID }}: {{ .Values.deployments.keycloak.vaultclient.config.clientSecret }} - --- apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 kind: Client metadata: - name: {{ .Values.deployments.keycloak.vaultclient.config.clientID }} + name: vault annotations: argocd.argoproj.io/sync-wave: "1" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true @@ -19,20 +10,20 @@ spec: deletionPolicy: Delete forProvider: accessType: CONFIDENTIAL - clientId: {{ .Values.deployments.keycloak.vaultclient.config.clientID }} - name: {{ .Values.deployments.keycloak.vaultclient.config.clientID }} - realmId: {{ .Values.deployments.keycloak.realm.realmid }} - adminUrl: "https://vault{{ .Values.deployments.ingress.fqdn }}" - rootUrl: "https://vault{{ .Values.deployments.ingress.fqdn }}" + clientId: vault + name: vault + realmId: {{ .Values.kubrix.keycloak.realm.realmid }} + adminUrl: "https://vault{{ .Values.kubrix.keycloak.fqdn }}" + rootUrl: "https://vault{{ .Values.kubrix.keycloak.fqdn }}" directAccessGrantsEnabled: false standardFlowEnabled: true serviceAccountsEnabled: true # managementPolicies: ["Observe"] validRedirectUris: - - "https://vault{{ .Values.deployments.ingress.fqdn }}/ui/vault/auth/oidc/oidc/callback" + - "https://vault{{ .Values.kubrix.keycloak.fqdn }}/ui/vault/auth/oidc/oidc/callback" clientSecretSecretRef: - key: {{ .Values.deployments.keycloak.vaultclient.config.clientID }} - name: "{{ .Release.Name }}-client-{{ .Values.deployments.keycloak.vaultclient.config.clientID }}-password" + key: vault + name: keycloak-client-credentials namespace: {{ .Release.Namespace }} loginTheme: keycloak providerConfigRef: diff --git a/platform-apps/charts/keycloak/templates/cp-provider.yaml b/platform-apps/charts/keycloak/templates/cp-provider.yaml index 20f910856..f2848bb2c 100644 --- a/platform-apps/charts/keycloak/templates/cp-provider.yaml +++ b/platform-apps/charts/keycloak/templates/cp-provider.yaml @@ -6,4 +6,4 @@ metadata: annotations: argocd.argoproj.io/sync-wave: "-10" spec: - package: xpkg.upbound.io/crossplane-contrib/provider-keycloak:v1.10.1 + package: xpkg.upbound.io/crossplane-contrib/provider-keycloak:v1.11.0 \ No newline at end of file diff --git a/platform-apps/charts/keycloak/templates/cp-providerconfig.yaml b/platform-apps/charts/keycloak/templates/cp-providerconfig.yaml index 0b325e554..fdb2cb9c0 100644 --- a/platform-apps/charts/keycloak/templates/cp-providerconfig.yaml +++ b/platform-apps/charts/keycloak/templates/cp-providerconfig.yaml @@ -11,6 +11,6 @@ spec: credentials: source: Secret secretRef: - name: "{{ .Release.Name }}-credentials" - key: keycloak-credentials + name: keycloak-credentials + key: credentials namespace: "{{ .Release.Namespace }}" diff --git a/platform-apps/charts/keycloak/templates/ingress.yaml b/platform-apps/charts/keycloak/templates/ingress.yaml deleted file mode 100644 index ab7a3a90e..000000000 --- a/platform-apps/charts/keycloak/templates/ingress.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: "{{ .Values.deployments.keycloak.service.name }}" - annotations: -{{- if .Values.gardenercert.enabled }} - cert.gardener.cloud/purpose: managed - dns.gardener.cloud/class: garden - dns.gardener.cloud/dnsnames: keycloak{{ .Values.deployments.ingress.fqdn }} - dns.gardener.cloud/ttl: "180" -{{- end }} -{{- if hasKey .Values "certmanager" }} -{{- if .Values.certmanager.enabled }} - cert-manager.io/cluster-issuer: {{ .Values.certmanager.issuer }} -{{- end }} -{{- end }} - nginx.ingress.kubernetes.io/backend-protocol: HTTP -# nginx.ingress.kubernetes.io/force-ssl-redirect: "true" -# nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" -spec: - {{- if .Values.deployments.ingress.className }} - ingressClassName: {{ .Values.deployments.ingress.className | quote }} - {{- end }} - tls: - - hosts: - - "keycloak{{ .Values.deployments.ingress.fqdn }}" - secretName: "{{ .Values.secrets.tls.name }}" - rules: - - host: "keycloak{{ .Values.deployments.ingress.fqdn }}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: "{{ .Values.deployments.keycloak.service.name }}" - port: - number: {{.Values.deployments.keycloak.ports.containerPort}} diff --git a/platform-apps/charts/keycloak/templates/keycloak.yaml b/platform-apps/charts/keycloak/templates/keycloak.yaml deleted file mode 100644 index a9a36fdd9..000000000 --- a/platform-apps/charts/keycloak/templates/keycloak.yaml +++ /dev/null @@ -1,121 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: "{{ .Values.deployments.keycloak.service.name }}" - labels: - app: "{{ .Values.deployments.keycloak.service.name }}" -spec: - ports: - - name: "{{ .Values.deployments.keycloak.service.name }}" - port: {{.Values.deployments.keycloak.ports.containerPort}} -# port: {{.Values.deployments.securePort}} -# targetPort: {{.Values.deployments.keycloak.ports.containerPort}} - selector: - app: "{{ .Values.deployments.keycloak.service.name }}" - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "{{ .Values.deployments.keycloak.service.name }}" - labels: - app: "{{ .Values.deployments.keycloak.service.name }}" -spec: - replicas: 1 - selector: - matchLabels: - app: "{{ .Values.deployments.keycloak.service.name }}" - template: - metadata: - labels: - app: "{{ .Values.deployments.keycloak.service.name }}" - spec: - containers: - - name: "{{ .Values.deployments.keycloak.service.name }}" - image: quay.io/keycloak/keycloak:{{ .Values.deployments.keycloak.version }} - args: ["start-dev"] - env: - - name: KEYCLOAK_ADMIN - valueFrom: - secretKeyRef: - key: KEYCLOAK_ADMIN - name: "{{ .Values.secrets.keycloak.name }}" - - name: KEYCLOAK_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - key: KEYCLOAK_ADMIN_PASSWORD - name: "{{ .Values.secrets.keycloak.name }}" - - name: KC_PROXY - value: "edge" - - name: KC_HEALTH_ENABLED - value: "true" - - name: KC_METRICS_ENABLED - value: "true" - - name: KC_HOSTNAME_STRICT_HTTPS - value: "true" - - name: KC_LOG_LEVEL - value: INFO - - name: DB_VENDOR - value: POSTGRES - - name: KC_HTTP_PORT - value: "{{.Values.deployments.keycloak.ports.containerPort}}" - - name: KC_HTTPS_PORT - value: "{{.Values.deployments.securePort}}" - - name: DB_ADDR - value: "{{ .Values.deployments.postgres.service.name }}" - - name: DB_DATABASE - valueFrom: - secretKeyRef: - name: "{{ .Values.secrets.postgres.name }}" - key: POSTGRES_DB - - name: DB_USER - valueFrom: - secretKeyRef: - name: "{{ .Values.secrets.postgres.name }}" - key: POSTGRES_USER - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: "{{ .Values.secrets.postgres.name }}" - key: POSTGRES_PASSWORD - ports: - - name: http - containerPort: - {{.Values.deployments.keycloak.ports.containerPort}} - - name: https - containerPort: - {{.Values.deployments.securePort}} - lifecycle: - postStart: - exec: - command: ["/bin/bash", "-c", "cd /opt/keycloak/bin; ./poststart.sh > /tmp/poststart.log"] - readinessProbe: - httpGet: - path: /realms/master - port: {{.Values.deployments.keycloak.ports.containerPort}} - initialDelaySeconds: 120 - periodSeconds: 10 - livenessProbe: - tcpSocket: - port: http - initialDelaySeconds: 500 - periodSeconds: 30 - resources: - limits: - memory: 2048Mi - cpu: "2" - requests: - memory: 1024Mi - cpu: "0.6" - volumeMounts: - - mountPath: /opt/keycloak/bin/poststart.sh - name: keycloak-hookvolume - subPath: poststart.sh - - mountPath: /tmp/kubrix.realm.json - subPath: kubrix.realm.json - name: keycloak-hookvolume - volumes: - - configMap: - defaultMode: 493 - name: keycloak-configmap - name: keycloak-hookvolume diff --git a/platform-apps/charts/keycloak/templates/postgres.yaml b/platform-apps/charts/keycloak/templates/postgres.yaml deleted file mode 100644 index ad0b0e46d..000000000 --- a/platform-apps/charts/keycloak/templates/postgres.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: "{{ .Values.deployments.postgres.service.name }}" - labels: - app: "{{ .Values.deployments.postgres.service.name }}" -spec: - ports: - - port: {{.Values.deployments.postgres.service.port}} - name: "{{ .Values.deployments.postgres.service.name }}" - selector: - app: "{{ .Values.deployments.postgres.service.name }}" - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: "{{ .Values.deployments.postgres.service.name }}" -spec: - selector: - matchLabels: - app: "{{ .Values.deployments.postgres.service.name }}" - strategy: - type: Recreate - template: - metadata: - labels: - app: "{{ .Values.deployments.postgres.service.name }}" - spec: - initContainers: - - name: init-clean - image: busybox - command: ['sh', '-c', 'rm -rf /var/lib/postgresql/data/*'] - volumeMounts: - - name: postgres-storage - mountPath: /var/lib/postgresql/data - containers: - - image: "{{ .Values.deployments.postgres.image.name }}" - name: "{{ .Values.deployments.postgres.service.name }}" - envFrom: - - secretRef: - name: "{{ .Values.secrets.postgres.name }}" - ports: - - containerPort: {{.Values.deployments.postgres.service.port}} - name: "{{ .Values.deployments.postgres.service.name }}" - securityContext: - privileged: false - volumeMounts: - - name: "{{ .Values.deployments.postgres.volume.name }}" - mountPath: "{{ .Values.deployments.postgres.volume.path }}" - resources: - limits: - memory: 512Mi - cpu: "1" - requests: - memory: 256Mi - cpu: "0.2" - volumes: - - name: "{{ .Values.deployments.postgres.volume.name }}" - persistentVolumeClaim: - claimName: "{{ .Values.pvc.name }}" diff --git a/platform-apps/charts/keycloak/templates/pvc.yaml b/platform-apps/charts/keycloak/templates/pvc.yaml deleted file mode 100644 index e79dd4635..000000000 --- a/platform-apps/charts/keycloak/templates/pvc.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: "{{ .Values.pvc.name }}" - labels: - app: "{{ .Values.deployments.postgres.service.name }}" -spec: - #storageClassName: "default" - accessModes: - - ReadWriteOnce - resources: - requests: - storage: "{{ .Values.pvc.size }}" diff --git a/platform-apps/charts/keycloak/templates/secrets.yml b/platform-apps/charts/keycloak/templates/secrets.yml deleted file mode 100644 index 3cc8d34fd..000000000 --- a/platform-apps/charts/keycloak/templates/secrets.yml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: "{{ .Values.secrets.postgres.name }}" -type: Opaque -stringData: - POSTGRES_USER: "{{ .Values.secrets.postgres.admin.name }}" - POSTGRES_PASSWORD: "{{ .Values.secrets.postgres.admin.password }}" - POSTGRES_DB: "{{ .Values.deployments.postgres.db.name }}" ---- -apiVersion: v1 -kind: Secret -metadata: - name: "{{ .Values.secrets.keycloak.name }}" -type: Opaque -stringData: - KEYCLOAK_ADMIN: "{{ .Values.secrets.keycloak.admin.name }}" - KEYCLOAK_ADMIN_PASSWORD: "{{ .Values.secrets.keycloak.admin.password }}" diff --git a/platform-apps/charts/keycloak/templates/xr.yaml b/platform-apps/charts/keycloak/templates/xr.yaml index 8dc49a306..f97c02cc7 100644 --- a/platform-apps/charts/keycloak/templates/xr.yaml +++ b/platform-apps/charts/keycloak/templates/xr.yaml @@ -1,39 +1,13 @@ -# Example for Master Realm -#apiVersion: keycloak.crossplane.io/v1alpha1 -#kind: XBuiltinObjects -#metadata: -# name: keycloak-builtin-objects-master -# annotations: -# argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true -#spec: -# providerConfigName: sx-keycloak-config -# providerSecretName: keycloak-credentials-cp -# realm: master -# builtinClients: -# - account -# - account-console -# - admin-cli -# - broker -# - master-realm -# - security-admin-console -# builtinRealmRoles: -# - offline_access -# - uma_authorization -# - admin -# - create-realm -#--- -# Example for a custom realm (custom realms have different builtin clients/roles than the master realm) apiVersion: keycloak.crossplane.io/v1alpha1 kind: XBuiltinObjects metadata: - name: keycloak-builtin-objects-{{ .Values.deployments.keycloak.realm.realmid }} + name: keycloak-builtin-objects-{{ .Values.kubrix.keycloak.realm.realmid }} annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "-1" spec: providerConfigName: sx-keycloak-config - providerSecretName: keycloak-credentials-cp - realm: {{ .Values.deployments.keycloak.realm.realmid }} + providerSecretName: keycloak-credentials + realm: {{ .Values.kubrix.keycloak.realm.realmid }} builtinClients: - account - account-console diff --git a/platform-apps/charts/keycloak/values-k3d.yaml b/platform-apps/charts/keycloak/values-k3d.yaml index f62b076b7..0a5ae4ea2 100644 --- a/platform-apps/charts/keycloak/values-k3d.yaml +++ b/platform-apps/charts/keycloak/values-k3d.yaml @@ -1,44 +1,87 @@ -# Postgres account data, web server certificates, and keycloak admin user -secrets: - postgres: - name: postgres-credentials - admin: - name: postgres - password: postgres - tls: - name: keycloak-server-tls - keycloak: - name: keycloak-secrets - admin: - name: admin - password: admin +keycloak: + #extraEnvVars: + # - name: KEYCLOAK_LOG_LEVEL + # value: DEBUG + auth: + adminUser: admin + existingSecret: "keycloak-credentials" + ingress: + enabled: true + hostname: keycloak2-127-0-0-1.nip.io + #ingressClassName: nginx + path: / + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + nginx.ingress.kubernetes.io/backend-protocol: HTTP + tls: true + extraTls: + - hosts: + - keycloak2-127-0-0-1.nip.io + secretName: keycloak2-server-tls + pdb: + create: false + postgresql: + enabled: false + externalDatabase: + # host: "sx-keycloak2-postgresql-hl.keycloak2.svc.cluster.local" + # port: 5432 + # user: keycloak + # database: postgres + # password: keycloak + existingSecret: "cp-keycloak-externaldb-secret" + existingSecretHostKey: "HOST" + existingSecretPortKey: "PORT" + existingSecretUserKey: "POSTGRES_USER" + existingSecretDatabaseKey: "POSTGRES_DATABASE" + existingSecretPasswordKey: "POSTGRES_PASSWORD" -gardenercert: - enabled: false + readinessProbe: + httpGet: + path: /realms/master + port: http + initialDelaySeconds: 60 + timeoutSeconds: 5 -# Postgres, Keycloak and Ingress deployments -deployments: - securePort: 443 - postgres: - image: - name: postgres:latest - db: - name: keycloak - service: - name: postgres - port: 5432 - volume: - name: postgres-storage - path: /var/lib/postgresql/data - ingress: - fqdn: -127-0-0-1.nip.io # add to prefix keycloak in templates + resources: + requests: + memory: "512Mi" + cpu: "300m" + limits: + memory: "1Gi" + cpu: "1" + + networkPolicy: + enabled: false + + keycloakConfigCli: + enabled: false +######## postgres instance +postgresql: + enabled: true + pdb: + create: false + primary: + networkPolicy: + enabled: false + persistence: + size: 1Gi # for demo only + auth: +# postgresPassword: "keycloak" + username: keycloak + database: postgres + existingSecret: "cp-keycloak-externaldb-secret" + secretKeys: + userPasswordKey: POSTGRES_PASSWORD + adminPasswordKey: POSTGRES_ADMIN + # replicationPasswordKey: # not used + volumePermissions: + enabled: false + architecture: standalone + +#### kubrix +kubrix: keycloak: - version: 25.0.2 - service: - name: keycloak-service - ports: - containerPort: 8080 - # keycloak realm config + fqdn: -127-0-0-1.nip.io # add to prefix keycloak in templates realm: realmid: kubrix users: @@ -46,73 +89,46 @@ deployments: firstName: Philipp lastName: Achmueller email: "philipp.achmueller@platform-engineer.cloud" - password: "test" - name: jokl firstName: Johannes lastName: Kleinlercher email: "johannes.kleinlercher@platform-engineer.cloud" - password: "test" - name: backstageadmin firstName: MrBackstage lastName: MrAdmin email: "backstageadmin@platform-engineer.cloud" - password: "test" - name: demouser firstName: demo lastName: user email: "demouser@platform-engineer.cloud" - password: "test" - name: demoadmin firstName: demo lastName: admin email: "demoadmin@platform-engineer.cloud" - password: "test" - name: team1user firstName: team1 lastName: demouser email: "team1user@platform-engineer.cloud" - password: "test" groups: - name: admins + roles: + - grafana-admin members: - backstageadmin - demoadmin - name: team1 + roles: + - grafana-viewer members: - team1user - name: users + roles: + - grafana-editor members: - phac - jokl - demouser - name: backstage-admin # for service-account permission workaround - # backstage client - backstageclient: - config: - clientID: backstage - clientSecret: demosecret - # vault client - vaultclient: - config: - clientID: vault - clientSecret: demosecret - # grafana client - grafanaclient: - config: - clientID: grafana - clientSecret: demosecret - # pgadmin client - pgadminclient: - config: - clientID: pgadmin - clientSecret: demosecret # start with 2FA mobile Authenticators mfa: - enabled: false -# PersistenVolume / PersistenVolumeClaims -pv: - name: postgres-pv - size: 1Gi -pvc: - name: postgres-pvc - size: 1Gi + enabled: false \ No newline at end of file From 94c2e0181a44fad4d0c704aaf67ff1121527ec70 Mon Sep 17 00:00:00 2001 From: phac008 Date: Sun, 2 Mar 2025 22:28:19 +0100 Subject: [PATCH 02/26] update Chart.lock Signed-off-by: phac008 --- platform-apps/charts/keycloak/Chart.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/platform-apps/charts/keycloak/Chart.lock b/platform-apps/charts/keycloak/Chart.lock index 8bcccbc6d..efd273a37 100644 --- a/platform-apps/charts/keycloak/Chart.lock +++ b/platform-apps/charts/keycloak/Chart.lock @@ -5,5 +5,5 @@ dependencies: - name: postgresql repository: https://charts.bitnami.com/bitnami version: 16.4.14 -digest: sha256:59fb1d148bae6ffbd53978756c1c9740f9f4753b30807716b0030ec70509cdd2 -generated: "2025-02-28T13:18:41.658653+01:00" +digest: sha256:ae318c6c0a7e2e8b1d9d2974f6be5d0067b845e73ec44f8436b56f5b1308ab9d +generated: "2025-03-02T22:27:52.301012+01:00" From 0a1bc1aa80618091c041285aa05cc9a3c230a2d5 Mon Sep 17 00:00:00 2001 From: phac008 Date: Sun, 2 Mar 2025 22:36:28 +0100 Subject: [PATCH 03/26] template postgres secret Signed-off-by: phac008 --- .../keycloak/templates/cp-keycloak-externaldb-secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-externaldb-secret.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-externaldb-secret.yaml index 42919e510..f5f7137f6 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-externaldb-secret.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-externaldb-secret.yaml @@ -9,7 +9,7 @@ metadata: type: externaldb-credentials type: Opaque stringData: - HOST: "sx-keycloak2-postgresql-hl.keycloak2.svc.cluster.local" + HOST: "{{ .Release.Name }}-postgresql-hl.{{ .Release.Namespace }}.svc.cluster.local" PORT: "5432" POSTGRES_USER: "keycloak" POSTGRES_DATABASE: "postgres" From 98350fb37b8904d230d21d60aeb0b00fec5de95f Mon Sep 17 00:00:00 2001 From: phac008 Date: Sun, 2 Mar 2025 22:41:11 +0100 Subject: [PATCH 04/26] remove 2 from previous local tests Signed-off-by: phac008 --- platform-apps/charts/keycloak/values-k3d.yaml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/platform-apps/charts/keycloak/values-k3d.yaml b/platform-apps/charts/keycloak/values-k3d.yaml index 0a5ae4ea2..c98a338eb 100644 --- a/platform-apps/charts/keycloak/values-k3d.yaml +++ b/platform-apps/charts/keycloak/values-k3d.yaml @@ -7,7 +7,7 @@ keycloak: existingSecret: "keycloak-credentials" ingress: enabled: true - hostname: keycloak2-127-0-0-1.nip.io + hostname: keycloak-127-0-0-1.nip.io #ingressClassName: nginx path: / annotations: @@ -16,18 +16,13 @@ keycloak: tls: true extraTls: - hosts: - - keycloak2-127-0-0-1.nip.io - secretName: keycloak2-server-tls + - keycloak-127-0-0-1.nip.io + secretName: keycloak-server-tls pdb: create: false postgresql: enabled: false externalDatabase: - # host: "sx-keycloak2-postgresql-hl.keycloak2.svc.cluster.local" - # port: 5432 - # user: keycloak - # database: postgres - # password: keycloak existingSecret: "cp-keycloak-externaldb-secret" existingSecretHostKey: "HOST" existingSecretPortKey: "PORT" From bc661127fca5721b141f929b11123c27ad8624d3 Mon Sep 17 00:00:00 2001 From: phac008 Date: Sun, 2 Mar 2025 22:53:55 +0100 Subject: [PATCH 05/26] health for crossplane keycloak provider Signed-off-by: phac008 --- platform-apps/charts/argocd/values-k3d.yaml | 115 ++++++++++++++++++++ 1 file changed, 115 insertions(+) diff --git a/platform-apps/charts/argocd/values-k3d.yaml b/platform-apps/charts/argocd/values-k3d.yaml index 27f57fe13..a4127b041 100644 --- a/platform-apps/charts/argocd/values-k3d.yaml +++ b/platform-apps/charts/argocd/values-k3d.yaml @@ -32,6 +32,121 @@ argo-cd: end return hs + "*.upbound.io/*": + health.lua: | + health_status = { + status = "Progressing", + message = "Provisioning ..." + } + local function contains (table, val) + for i, v in ipairs(table) do + if v == val then + return true + end + end + return false + end + local has_no_status = { + "ProviderConfig", + "ProviderConfigUsage" + } + if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then + health_status.status = "Healthy" + health_status.message = "Resource is up-to-date." + return health_status + end + if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then + if obj.kind == "ProviderConfig" and obj.status.users ~= nil then + health_status.status = "Healthy" + health_status.message = "Resource is in use." + return health_status + end + return health_status + end + for i, condition in ipairs(obj.status.conditions) do + if condition.type == "LastAsyncOperation" then + if condition.status == "False" then + health_status.status = "Degraded" + health_status.message = condition.message + return health_status + end + end + if condition.type == "Synced" then + if condition.status == "False" then + health_status.status = "Degraded" + health_status.message = condition.message + return health_status + end + end + if condition.type == "Ready" then + if condition.status == "True" then + health_status.status = "Healthy" + health_status.message = "Resource is up-to-date." + return health_status + end + end + end + return health_status + "*.crossplane.io/*": + health.lua: | + health_status = { + status = "Progressing", + message = "Provisioning ..." + } + local function contains (table, val) + for i, v in ipairs(table) do + if v == val then + return true + end + end + return false + end + local has_no_status = { + "Composition", + "CompositionRevision", + "DeploymentRuntimeConfig", + "ControllerConfig", + "ProviderConfig", + "ProviderConfigUsage" + } + if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then + health_status.status = "Healthy" + health_status.message = "Resource is up-to-date." + return health_status + end + if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then + if obj.kind == "ProviderConfig" and obj.status.users ~= nil then + health_status.status = "Healthy" + health_status.message = "Resource is in use." + return health_status + end + return health_status + end + for i, condition in ipairs(obj.status.conditions) do + if condition.type == "LastAsyncOperation" then + if condition.status == "False" then + health_status.status = "Degraded" + health_status.message = condition.message + return health_status + end + end + if condition.type == "Synced" then + if condition.status == "False" then + health_status.status = "Degraded" + health_status.message = condition.message + return health_status + end + end + if contains({"Ready", "Healthy", "Offered", "Established"}, condition.type) then + if condition.status == "True" then + health_status.status = "Healthy" + health_status.message = "Resource is up-to-date." + return health_status + end + end + end + return health_status + rbac: policy.csv: | p, backstage, applications, get, */*, allow From 3086726cf19f4878e61b70ac83415dc8a835ef14 Mon Sep 17 00:00:00 2001 From: phac008 Date: Sun, 2 Mar 2025 23:51:49 +0100 Subject: [PATCH 06/26] change yaml back to json format due to XBuiltinObjects reference Signed-off-by: phac008 --- .../templates/cp-keycloak-secret.yaml | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-secret.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-secret.yaml index 4cf68ec4f..8b06e1fdd 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-secret.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-secret.yaml @@ -9,14 +9,15 @@ metadata: type: provider-credentials type: Opaque stringData: - # adminUser: "admin" # delete! - admin-password: "admin1" - # crossplane provider - # used for crossplane provider and MUST be the same as adminUser from values file - username: "admin" - # used for crossplane provider and MUST be the same as adminPassword - password: "admin1" - url: "http://{{ .Release.Name }}-headless.{{ .Release.Namespace }}.svc.cluster.local:8080" - client_id: "admin-cli" - realm: "master" - tls_insecure_skip_verify: "true" \ No newline at end of file + # credentials username MUST be the same as adminUser from values file + # credentials password MUST be the same as adminPassword + credentials: | + { + "admin-password": "admin1", + "username": "admin", + "password": "admin1", + "url": "http://{{ .Release.Name }}-headless.{{ .Release.Namespace }}.svc.cluster.local:8080", + "client_id": "admin-cli", + "realm": "master", + "tls_insecure_skip_verify": "true" + } \ No newline at end of file From 918792e76e419dde9bdb6db7acd6ea754f75eb4b Mon Sep 17 00:00:00 2001 From: phac008 Date: Sun, 2 Mar 2025 23:57:54 +0100 Subject: [PATCH 07/26] fix annotation for credentials Signed-off-by: phac008 --- .../keycloak/templates/cp-keycloak-secret.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-secret.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-secret.yaml index 8b06e1fdd..d298a09f9 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-secret.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-secret.yaml @@ -12,12 +12,12 @@ stringData: # credentials username MUST be the same as adminUser from values file # credentials password MUST be the same as adminPassword credentials: | - { - "admin-password": "admin1", - "username": "admin", - "password": "admin1", - "url": "http://{{ .Release.Name }}-headless.{{ .Release.Namespace }}.svc.cluster.local:8080", - "client_id": "admin-cli", - "realm": "master", - "tls_insecure_skip_verify": "true" - } \ No newline at end of file + { + "admin-password": "admin1", + "username": "admin", + "password": "admin1", + "url": "http://{{ .Release.Name }}-headless.{{ .Release.Namespace }}.svc.cluster.local:8080", + "client_id": "admin-cli", + "realm": "master", + "tls_insecure_skip_verify": "true" + } \ No newline at end of file From 88599f0b828ab324e22162e2b4606942254a00bb Mon Sep 17 00:00:00 2001 From: phac008 Date: Mon, 3 Mar 2025 00:07:38 +0100 Subject: [PATCH 08/26] change email domain to kubrix.io Signed-off-by: phac008 --- platform-apps/charts/keycloak/values-k3d.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/platform-apps/charts/keycloak/values-k3d.yaml b/platform-apps/charts/keycloak/values-k3d.yaml index c98a338eb..e1eec0e99 100644 --- a/platform-apps/charts/keycloak/values-k3d.yaml +++ b/platform-apps/charts/keycloak/values-k3d.yaml @@ -83,27 +83,27 @@ kubrix: - name: phac firstName: Philipp lastName: Achmueller - email: "philipp.achmueller@platform-engineer.cloud" + email: "philipp.achmueller@kubrix.io" - name: jokl firstName: Johannes lastName: Kleinlercher - email: "johannes.kleinlercher@platform-engineer.cloud" + email: "johannes.kleinlercher@kubrix.io" - name: backstageadmin firstName: MrBackstage lastName: MrAdmin - email: "backstageadmin@platform-engineer.cloud" + email: "backstageadmin@kubrix.io" - name: demouser firstName: demo lastName: user - email: "demouser@platform-engineer.cloud" + email: "demouser@kubrix.io" - name: demoadmin firstName: demo lastName: admin - email: "demoadmin@platform-engineer.cloud" + email: "demoadmin@kubrix.io" - name: team1user firstName: team1 lastName: demouser - email: "team1user@platform-engineer.cloud" + email: "team1user@kubrix.io" groups: - name: admins roles: From 410f4b88839bc49ccaeab8ccf73fea1f319d642d Mon Sep 17 00:00:00 2001 From: phac008 Date: Mon, 3 Mar 2025 00:20:50 +0100 Subject: [PATCH 09/26] separate admin-password Signed-off-by: phac008 --- .../charts/keycloak/templates/cp-keycloak-secret.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-secret.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-secret.yaml index d298a09f9..51e0c5a4f 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-secret.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-secret.yaml @@ -13,11 +13,11 @@ stringData: # credentials password MUST be the same as adminPassword credentials: | { - "admin-password": "admin1", "username": "admin", "password": "admin1", "url": "http://{{ .Release.Name }}-headless.{{ .Release.Namespace }}.svc.cluster.local:8080", "client_id": "admin-cli", "realm": "master", "tls_insecure_skip_verify": "true" - } \ No newline at end of file + } + admin-password: "admin1" \ No newline at end of file From bd43ee70889307672d02a1f3b49578b678650f8b Mon Sep 17 00:00:00 2001 From: phac008 Date: Mon, 3 Mar 2025 14:55:03 +0100 Subject: [PATCH 10/26] remove crossplane health.lua Signed-off-by: phac008 --- platform-apps/charts/argocd/values-k3d.yaml | 115 -------------------- 1 file changed, 115 deletions(-) diff --git a/platform-apps/charts/argocd/values-k3d.yaml b/platform-apps/charts/argocd/values-k3d.yaml index a4127b041..27f57fe13 100644 --- a/platform-apps/charts/argocd/values-k3d.yaml +++ b/platform-apps/charts/argocd/values-k3d.yaml @@ -32,121 +32,6 @@ argo-cd: end return hs - "*.upbound.io/*": - health.lua: | - health_status = { - status = "Progressing", - message = "Provisioning ..." - } - local function contains (table, val) - for i, v in ipairs(table) do - if v == val then - return true - end - end - return false - end - local has_no_status = { - "ProviderConfig", - "ProviderConfigUsage" - } - if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then - health_status.status = "Healthy" - health_status.message = "Resource is up-to-date." - return health_status - end - if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then - if obj.kind == "ProviderConfig" and obj.status.users ~= nil then - health_status.status = "Healthy" - health_status.message = "Resource is in use." - return health_status - end - return health_status - end - for i, condition in ipairs(obj.status.conditions) do - if condition.type == "LastAsyncOperation" then - if condition.status == "False" then - health_status.status = "Degraded" - health_status.message = condition.message - return health_status - end - end - if condition.type == "Synced" then - if condition.status == "False" then - health_status.status = "Degraded" - health_status.message = condition.message - return health_status - end - end - if condition.type == "Ready" then - if condition.status == "True" then - health_status.status = "Healthy" - health_status.message = "Resource is up-to-date." - return health_status - end - end - end - return health_status - "*.crossplane.io/*": - health.lua: | - health_status = { - status = "Progressing", - message = "Provisioning ..." - } - local function contains (table, val) - for i, v in ipairs(table) do - if v == val then - return true - end - end - return false - end - local has_no_status = { - "Composition", - "CompositionRevision", - "DeploymentRuntimeConfig", - "ControllerConfig", - "ProviderConfig", - "ProviderConfigUsage" - } - if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then - health_status.status = "Healthy" - health_status.message = "Resource is up-to-date." - return health_status - end - if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then - if obj.kind == "ProviderConfig" and obj.status.users ~= nil then - health_status.status = "Healthy" - health_status.message = "Resource is in use." - return health_status - end - return health_status - end - for i, condition in ipairs(obj.status.conditions) do - if condition.type == "LastAsyncOperation" then - if condition.status == "False" then - health_status.status = "Degraded" - health_status.message = condition.message - return health_status - end - end - if condition.type == "Synced" then - if condition.status == "False" then - health_status.status = "Degraded" - health_status.message = condition.message - return health_status - end - end - if contains({"Ready", "Healthy", "Offered", "Established"}, condition.type) then - if condition.status == "True" then - health_status.status = "Healthy" - health_status.message = "Resource is up-to-date." - return health_status - end - end - end - return health_status - rbac: policy.csv: | p, backstage, applications, get, */*, allow From 251bb374a7e39e953425a1fb17f2ac5968acbc32 Mon Sep 17 00:00:00 2001 From: phac008 Date: Mon, 3 Mar 2025 16:49:27 +0100 Subject: [PATCH 11/26] add cnpg and fix password issue Signed-off-by: phac008 --- platform-apps/charts/keycloak/Chart.lock | 7 +++++-- platform-apps/charts/keycloak/Chart.yaml | 4 ++++ .../keycloak/templates/cp-keycloak-users-secret.yaml | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/platform-apps/charts/keycloak/Chart.lock b/platform-apps/charts/keycloak/Chart.lock index efd273a37..cdc465133 100644 --- a/platform-apps/charts/keycloak/Chart.lock +++ b/platform-apps/charts/keycloak/Chart.lock @@ -5,5 +5,8 @@ dependencies: - name: postgresql repository: https://charts.bitnami.com/bitnami version: 16.4.14 -digest: sha256:ae318c6c0a7e2e8b1d9d2974f6be5d0067b845e73ec44f8436b56f5b1308ab9d -generated: "2025-03-02T22:27:52.301012+01:00" +- name: cluster + repository: https://cloudnative-pg.github.io/charts + version: 0.2.1 +digest: sha256:bc4114d4fde2bad2e72d93cc3de6322c1cc252c200d8dfa1bf6531de6281ddf5 +generated: "2025-03-03T14:53:56.140641+01:00" diff --git a/platform-apps/charts/keycloak/Chart.yaml b/platform-apps/charts/keycloak/Chart.yaml index e409ed052..e1e79ceeb 100644 --- a/platform-apps/charts/keycloak/Chart.yaml +++ b/platform-apps/charts/keycloak/Chart.yaml @@ -33,3 +33,7 @@ dependencies: version: 16.4.14 repository: https://charts.bitnami.com/bitnami condition: postgresql.enabled + - name: cluster + version: 0.2.1 + repository: https://cloudnative-pg.github.io/charts + condition: cluster.enabled \ No newline at end of file diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-users-secret.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-users-secret.yaml index e05cf61ba..c0b8b22dc 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-users-secret.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-users-secret.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Secret metadata: - name: cp-keycloak-user-secret + name: cp-keycloak-users-secret annotations: argocd.argoproj.io/sync-wave: "-9" labels: From c970888f65cf7b56b57fc5d6736cfa7d4202d62e Mon Sep 17 00:00:00 2001 From: phac008 Date: Mon, 3 Mar 2025 17:00:34 +0100 Subject: [PATCH 12/26] disable cnpg if not used Signed-off-by: phac008 --- platform-apps/charts/keycloak/values-k3d.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/platform-apps/charts/keycloak/values-k3d.yaml b/platform-apps/charts/keycloak/values-k3d.yaml index e1eec0e99..2ab9ba508 100644 --- a/platform-apps/charts/keycloak/values-k3d.yaml +++ b/platform-apps/charts/keycloak/values-k3d.yaml @@ -126,4 +126,8 @@ kubrix: - name: backstage-admin # for service-account permission workaround # start with 2FA mobile Authenticators mfa: - enabled: false \ No newline at end of file + enabled: false + +## cnpg +cluster: + enabled: false \ No newline at end of file From c79ff191d8fc6e4a9fbda21d88ee8c990ccf7f7a Mon Sep 17 00:00:00 2001 From: phac008 Date: Mon, 3 Mar 2025 21:41:35 +0100 Subject: [PATCH 13/26] change defualt values for metalstack.demo Signed-off-by: phac008 --- .../keycloak/values-demo-metalstack.yaml | 184 +++++++++--------- 1 file changed, 91 insertions(+), 93 deletions(-) diff --git a/platform-apps/charts/keycloak/values-demo-metalstack.yaml b/platform-apps/charts/keycloak/values-demo-metalstack.yaml index 975a6eb4c..559d53dd1 100644 --- a/platform-apps/charts/keycloak/values-demo-metalstack.yaml +++ b/platform-apps/charts/keycloak/values-demo-metalstack.yaml @@ -1,135 +1,133 @@ -# Postgres account data, web server certificates, and keycloak admin user -secrets: - postgres: - name: postgres-credentials - admin: - name: postgres - password: postgres - tls: - name: keycloak-server-tls - keycloak: - name: keycloak-secrets - admin: - name: admin - password: admin +keycloak: + #extraEnvVars: + # - name: KEYCLOAK_LOG_LEVEL + # value: DEBUG + auth: + adminUser: admin + existingSecret: "keycloak-credentials" + ingress: + enabled: true + hostname: keycloak.demo.kubrix.cloud + ingressClassName: nginx + annotations: + external-dns.alpha.kubernetes.io/ttl: "60" + cert-manager.io/cluster-issuer: letsencrypt-prod + path: / + tls: true + extraTls: + - hosts: + - keycloak.demo.kubrix.cloud + secretName: keycloak-server-tls + pdb: + create: false + postgresql: + enabled: false + externalDatabase: + existingSecret: "cp-keycloak-externaldb-secret" + existingSecretHostKey: "HOST" + existingSecretPortKey: "PORT" + existingSecretUserKey: "POSTGRES_USER" + existingSecretDatabaseKey: "POSTGRES_DATABASE" + existingSecretPasswordKey: "POSTGRES_PASSWORD" + + readinessProbe: + httpGet: + path: /realms/master + port: http + initialDelaySeconds: 60 + timeoutSeconds: 5 -gardenercert: - enabled: false + resources: + requests: + memory: "512Mi" + cpu: "300m" + limits: + memory: "1Gi" + cpu: "1" -certmanager: + networkPolicy: + enabled: false + + keycloakConfigCli: + enabled: false +######## postgres instance +postgresql: enabled: true - issuer: letsencrypt-prod + pdb: + create: false + primary: + networkPolicy: + enabled: false + persistence: + size: 2Gi # for demo only + auth: +# postgresPassword: "keycloak" + username: keycloak + database: postgres + existingSecret: "cp-keycloak-externaldb-secret" + secretKeys: + userPasswordKey: POSTGRES_PASSWORD + adminPasswordKey: POSTGRES_ADMIN + # replicationPasswordKey: # not used + volumePermissions: + enabled: false + architecture: standalone -# Postgres, Keycloak and Ingress deployments -deployments: - securePort: 443 - postgres: - image: - name: postgres:latest - db: - name: keycloak - service: - name: postgres - port: 5432 - volume: - name: postgres-storage - path: /var/lib/postgresql/data - ingress: - className: nginx - fqdn: .demo.kubrix.cloud # add to prefix keycloak in templates +#### kubrix +kubrix: keycloak: - version: 25.0.2 - service: - name: keycloak-service - ports: - containerPort: 8080 - # keycloak realm config + fqdn: .demo.kubrix.cloud # add to prefix keycloak in templates realm: realmid: kubrix users: - name: phac firstName: Philipp lastName: Achmueller - email: "philipp.achmueller@platform-engineer.cloud" - password: "test" + email: "philipp.achmueller@kubrix.io" - name: jokl firstName: Johannes lastName: Kleinlercher - email: "johannes.kleinlercher@platform-engineer.cloud" - password: "test" + email: "johannes.kleinlercher@kubrix.io" - name: backstageadmin firstName: MrBackstage lastName: MrAdmin - email: "backstageadmin@platform-engineer.cloud" - password: "test" + email: "backstageadmin@kubrix.io" - name: demouser firstName: demo lastName: user - email: "demouser@platform-engineer.cloud" - password: "test" + email: "demouser@kubrix.io" - name: demoadmin firstName: demo lastName: admin - email: "demoadmin@platform-engineer.cloud" - password: "test" + email: "demoadmin@kubrix.io" - name: team1user firstName: team1 lastName: demouser - email: "team1user@platform-engineer.cloud" - password: "test" - - name: team-auser - firstName: team-a - lastName: demouser - email: "team-auser@platform-engineer.cloud" - password: "test" + email: "team1user@kubrix.io" groups: - name: admins - mfa: false # valid if .keycloak.mfa.enabled is true, disable for admin + roles: + - grafana-admin members: - backstageadmin - demoadmin - name: team1 - mfa: true # valid if .keycloak.mfa.enabled is true + roles: + - grafana-viewer members: - team1user - - name: team-a - mfa: false # valid if .keycloak.mfa.enabled is true - members: - - team-auser - name: users - mfa: false # valid if .keycloak.mfa.enabled is true + roles: + - grafana-editor members: - phac - jokl - demouser - name: backstage-admin # for service-account permission workaround - # backstage client - backstageclient: - config: - clientID: backstage - clientSecret: demosecret - # vault client - vaultclient: - config: - clientID: vault - clientSecret: demosecret - # grafana client - grafanaclient: - config: - clientID: grafana - clientSecret: demosecret - # pgadmin client - pgadminclient: - config: - clientID: pgadmin - clientSecret: demosecret # start with 2FA mobile Authenticators mfa: - enabled: true -# PersistenVolume / PersistenVolumeClaims -pv: - name: postgres-pv - size: 1Gi -pvc: - name: postgres-pvc - size: 1Gi + enabled: false + +## cnpg +cluster: + enabled: false \ No newline at end of file From 8164795e5b4a17e45529f2f1d1c9460f23185a91 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 3 Mar 2025 21:02:44 +0000 Subject: [PATCH 14/26] updated container image list --- platform-apps/charts/image-list.json | 13 ++++--------- platform-apps/charts/image-list.md | 5 ++--- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/platform-apps/charts/image-list.json b/platform-apps/charts/image-list.json index 2ec5d847c..170b4b0fa 100644 --- a/platform-apps/charts/image-list.json +++ b/platform-apps/charts/image-list.json @@ -196,18 +196,13 @@ }, { "chart": "keycloak", - "image": "busybox", - "id": "keycloak_busybox" - }, - { - "chart": "keycloak", - "image": "postgres:latest", - "id": "keycloak_postgres_latest" + "image": "docker.io/bitnami/keycloak:26.1.2-debian-12-r0", + "id": "keycloak_keycloak_26.1.2-debian-12-r0" }, { "chart": "keycloak", - "image": "quay.io/keycloak/keycloak:25.0.2", - "id": "keycloak_keycloak_25.0.2" + "image": "docker.io/bitnami/postgresql:17.4.0-debian-12-r2", + "id": "keycloak_postgresql_17.4.0-debian-12-r2" }, { "chart": "komoplane", diff --git a/platform-apps/charts/image-list.md b/platform-apps/charts/image-list.md index f83808a02..cda79cec7 100644 --- a/platform-apps/charts/image-list.md +++ b/platform-apps/charts/image-list.md @@ -52,9 +52,8 @@ ## kargo * ghcr.io/akuity/kargo:v1.2.3 ## keycloak -* busybox -* postgres:latest -* quay.io/keycloak/keycloak:25.0.2 +* docker.io/bitnami/keycloak:26.1.2-debian-12-r0 +* docker.io/bitnami/postgresql:17.4.0-debian-12-r2 ## komoplane * busybox * komodorio/komoplane:0.1.6 From 5d615b9ad9346e6c0960124985bb5c7f82a533a7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 3 Mar 2025 21:03:32 +0000 Subject: [PATCH 15/26] updated trivy scan results --- trivy-reports/report-keycloak_busybox.md | 2 - .../report-keycloak_keycloak_25.0.2.md | 58 ---- ...t-keycloak_keycloak_26.1.2-debian-12-r0.md | 52 ++++ .../report-keycloak_postgres_latest.md | 257 ------------------ ...keycloak_postgresql_17.4.0-debian-12-r2.md | 10 + 5 files changed, 62 insertions(+), 317 deletions(-) delete mode 100644 trivy-reports/report-keycloak_busybox.md delete mode 100644 trivy-reports/report-keycloak_keycloak_25.0.2.md create mode 100644 trivy-reports/report-keycloak_keycloak_26.1.2-debian-12-r0.md delete mode 100644 trivy-reports/report-keycloak_postgres_latest.md create mode 100644 trivy-reports/report-keycloak_postgresql_17.4.0-debian-12-r2.md diff --git a/trivy-reports/report-keycloak_busybox.md b/trivy-reports/report-keycloak_busybox.md deleted file mode 100644 index e28e418b0..000000000 --- a/trivy-reports/report-keycloak_busybox.md +++ /dev/null @@ -1,2 +0,0 @@ - -

Trivy Returned Empty Report

diff --git a/trivy-reports/report-keycloak_keycloak_25.0.2.md b/trivy-reports/report-keycloak_keycloak_25.0.2.md deleted file mode 100644 index 7960fe5b8..000000000 --- a/trivy-reports/report-keycloak_keycloak_25.0.2.md +++ /dev/null @@ -1,58 +0,0 @@ - -

Target quay.io/keycloak/keycloak:25.0.2 (redhat 9.4)

-

No Vulnerabilities found

-

No Misconfigurations found

-

Target Java

-

Vulnerabilities (6)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PackageIDSeverityInstalled VersionFixed Version
io.quarkus.http:quarkus-http-coreCVE-2024-12397HIGH5.2.2.Final5.3.4
org.keycloak:keycloak-coreCVE-2024-10039HIGH25.0.226.0.6
org.keycloak:keycloak-quarkus-serverCVE-2024-10451HIGH25.0.224.0.9, 26.0.6
org.keycloak:keycloak-saml-coreCVE-2024-8698HIGH25.0.222.0.13, 24.0.8, 25.0.6
org.keycloak:keycloak-servicesCVE-2024-10270HIGH25.0.224.0.9, 26.0.6
org.keycloak:keycloak-servicesCVE-2024-7341HIGH25.0.222.0.12, 24.0.7, 25.0.5
-

No Misconfigurations found

diff --git a/trivy-reports/report-keycloak_keycloak_26.1.2-debian-12-r0.md b/trivy-reports/report-keycloak_keycloak_26.1.2-debian-12-r0.md new file mode 100644 index 000000000..d5a22c2a4 --- /dev/null +++ b/trivy-reports/report-keycloak_keycloak_26.1.2-debian-12-r0.md @@ -0,0 +1,52 @@ + +

Target docker.io/bitnami/keycloak:26.1.2-debian-12-r0 (debian 12.9)

+

No Vulnerabilities found

+

No Misconfigurations found

+

Target

+

No Vulnerabilities found

+

No Misconfigurations found

+

Target Java

+

Vulnerabilities (3)

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PackageIDSeverityInstalled VersionFixed Version
io.netty:netty-handlerCVE-2025-24970HIGH4.1.115.Final4.1.118.Final
io.quarkus:quarkus-restCVE-2025-1247HIGH3.15.33.18.2, 3.15.3.1, 3.8.6.1
io.quarkus:quarkus-rest-deploymentCVE-2025-1247HIGH3.15.33.18.2, 3.15.3.1, 3.8.6.1
+

No Misconfigurations found

+

Target opt/bitnami/common

+

No Vulnerabilities found

+

No Misconfigurations found

+

Target opt/bitnami/common/bin/wait-for-port

+

No Vulnerabilities found

+

No Misconfigurations found

+

Target opt/bitnami/java

+

No Vulnerabilities found

+

No Misconfigurations found

+

Target opt/bitnami/keycloak

+

No Vulnerabilities found

+

No Misconfigurations found

diff --git a/trivy-reports/report-keycloak_postgres_latest.md b/trivy-reports/report-keycloak_postgres_latest.md deleted file mode 100644 index 33805e577..000000000 --- a/trivy-reports/report-keycloak_postgres_latest.md +++ /dev/null @@ -1,257 +0,0 @@ - -

Target postgres:latest (debian 12.9)

-

No Vulnerabilities found

-

No Misconfigurations found

-

Target usr/local/bin/gosu

-

Vulnerabilities (34)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
PackageIDSeverityInstalled VersionFixed Version
stdlibCVE-2023-24538CRITICALv1.18.21.19.8, 1.20.3
stdlibCVE-2023-24540CRITICALv1.18.21.19.9, 1.20.4
stdlibCVE-2024-24790CRITICALv1.18.21.21.11, 1.22.4
stdlibCVE-2022-27664HIGHv1.18.21.18.6, 1.19.1
stdlibCVE-2022-28131HIGHv1.18.21.17.12, 1.18.4
stdlibCVE-2022-2879HIGHv1.18.21.18.7, 1.19.2
stdlibCVE-2022-2880HIGHv1.18.21.18.7, 1.19.2
stdlibCVE-2022-29804HIGHv1.18.21.17.11, 1.18.3
stdlibCVE-2022-30580HIGHv1.18.21.17.11, 1.18.3
stdlibCVE-2022-30630HIGHv1.18.21.17.12, 1.18.4
stdlibCVE-2022-30631HIGHv1.18.21.17.12, 1.18.4
stdlibCVE-2022-30632HIGHv1.18.21.17.12, 1.18.4
stdlibCVE-2022-30633HIGHv1.18.21.17.12, 1.18.4
stdlibCVE-2022-30634HIGHv1.18.21.17.11, 1.18.3
stdlibCVE-2022-30635HIGHv1.18.21.17.12, 1.18.4
stdlibCVE-2022-32189HIGHv1.18.21.17.13, 1.18.5
stdlibCVE-2022-41715HIGHv1.18.21.18.7, 1.19.2
stdlibCVE-2022-41716HIGHv1.18.21.18.8, 1.19.3
stdlibCVE-2022-41720HIGHv1.18.21.18.9, 1.19.4
stdlibCVE-2022-41722HIGHv1.18.21.19.6, 1.20.1
stdlibCVE-2022-41723HIGHv1.18.21.19.6, 1.20.1
stdlibCVE-2022-41724HIGHv1.18.21.19.6, 1.20.1
stdlibCVE-2022-41725HIGHv1.18.21.19.6, 1.20.1
stdlibCVE-2023-24534HIGHv1.18.21.19.8, 1.20.3
stdlibCVE-2023-24536HIGHv1.18.21.19.8, 1.20.3
stdlibCVE-2023-24537HIGHv1.18.21.19.8, 1.20.3
stdlibCVE-2023-24539HIGHv1.18.21.19.9, 1.20.4
stdlibCVE-2023-29400HIGHv1.18.21.19.9, 1.20.4
stdlibCVE-2023-29403HIGHv1.18.21.19.10, 1.20.5
stdlibCVE-2023-39325HIGHv1.18.21.20.10, 1.21.3
stdlibCVE-2023-45283HIGHv1.18.21.20.11, 1.21.4, 1.20.12, 1.21.5
stdlibCVE-2023-45287HIGHv1.18.21.20.0
stdlibCVE-2023-45288HIGHv1.18.21.21.9, 1.22.2
stdlibCVE-2024-34156HIGHv1.18.21.22.7, 1.23.1
-

No Misconfigurations found

-

Target /etc/ssl/private/ssl-cert-snakeoil.key

-

No Vulnerabilities found

-

No Misconfigurations found

diff --git a/trivy-reports/report-keycloak_postgresql_17.4.0-debian-12-r2.md b/trivy-reports/report-keycloak_postgresql_17.4.0-debian-12-r2.md new file mode 100644 index 000000000..cf556ac9f --- /dev/null +++ b/trivy-reports/report-keycloak_postgresql_17.4.0-debian-12-r2.md @@ -0,0 +1,10 @@ + +

Target docker.io/bitnami/postgresql:17.4.0-debian-12-r2 (debian 12.9)

+

No Vulnerabilities found

+

No Misconfigurations found

+

Target Java

+

No Vulnerabilities found

+

No Misconfigurations found

+

Target opt/bitnami/postgresql

+

No Vulnerabilities found

+

No Misconfigurations found

From f931cb549d7714d2d4cf83c420259a12ea68392b Mon Sep 17 00:00:00 2001 From: phac008 Date: Mon, 3 Mar 2025 22:14:01 +0100 Subject: [PATCH 16/26] enable ServiceMonitor Signed-off-by: phac008 --- platform-apps/charts/keycloak/values-demo-metalstack.yaml | 6 +++++- platform-apps/charts/keycloak/values-k3d.yaml | 6 +++++- platform-apps/target-chart/values-kind-base.yaml | 7 +++++++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/platform-apps/charts/keycloak/values-demo-metalstack.yaml b/platform-apps/charts/keycloak/values-demo-metalstack.yaml index 559d53dd1..df0535d19 100644 --- a/platform-apps/charts/keycloak/values-demo-metalstack.yaml +++ b/platform-apps/charts/keycloak/values-demo-metalstack.yaml @@ -47,7 +47,11 @@ keycloak: networkPolicy: enabled: false - + metrics: + enabled: true + serviceMonitor: + enabled: true + keycloakConfigCli: enabled: false ######## postgres instance diff --git a/platform-apps/charts/keycloak/values-k3d.yaml b/platform-apps/charts/keycloak/values-k3d.yaml index 2ab9ba508..26ef46293 100644 --- a/platform-apps/charts/keycloak/values-k3d.yaml +++ b/platform-apps/charts/keycloak/values-k3d.yaml @@ -47,7 +47,11 @@ keycloak: networkPolicy: enabled: false - + metrics: + enabled: true + serviceMonitor: + enabled: true + keycloakConfigCli: enabled: false ######## postgres instance diff --git a/platform-apps/target-chart/values-kind-base.yaml b/platform-apps/target-chart/values-kind-base.yaml index 029faf999..22b38fd71 100644 --- a/platform-apps/target-chart/values-kind-base.yaml +++ b/platform-apps/target-chart/values-kind-base.yaml @@ -20,6 +20,13 @@ applications: annotations: argocd.argoproj.io/sync-wave: "-7" + - name: k8s-monitoring + annotations: + argocd.argoproj.io/compare-options: ServerSideDiff=true + argocd.argoproj.io/sync-wave: "-7" + syncOptions: + - ServerSideApply=true + - name: keycloak annotations: argocd.argoproj.io/sync-wave: "-6" From daea19e53d45fc074274e71ad54cce1cb9584c59 Mon Sep 17 00:00:00 2001 From: phac008 Date: Tue, 4 Mar 2025 10:15:12 +0100 Subject: [PATCH 17/26] adapt internal keycloak adress Signed-off-by: phac008 --- platform-apps/charts/backstage/values-demo-metalstack.yaml | 4 ++-- platform-apps/charts/backstage/values-k3d.yaml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/platform-apps/charts/backstage/values-demo-metalstack.yaml b/platform-apps/charts/backstage/values-demo-metalstack.yaml index 6e31148ce..dd569d095 100644 --- a/platform-apps/charts/backstage/values-demo-metalstack.yaml +++ b/platform-apps/charts/backstage/values-demo-metalstack.yaml @@ -150,7 +150,7 @@ backstage: # real metadataUrl -> local cluster lead to "ECONNREFUSED 127.0.0.1:443" - #24935 #metadataUrl: https://keycloak.lab.suxessit.k8s.cloud.uibk.ac.at/realms/kubrix #.well-known/openid-configuration can be ommited # workaround -> also set frontendUrl in keycloak realm - metadataUrl: http://keycloak-service.keycloak.svc.cluster.local:8080/realms/kubrix #.well-known/openid-configuration can be ommited + metadataUrl: http://sx-keycloak-headless.keycloak.svc.cluster.local:8080/realms/kubrix #.well-known/openid-configuration can be ommited callbackUrl: https://backstage.demo.kubrix.cloud/api/auth/oidc/handler/frame clientId: backstage clientSecret: demosecret @@ -240,7 +240,7 @@ backstage: # real baseUrl -> local cluster lead to "ECONNREFUSED 127.0.0.1:443" #baseUrl: https://keycloak.lab.suxessit.k8s.cloud.uibk.ac.at # workaround - baseUrl: http://keycloak-service.keycloak.svc.cluster.local:8080 + baseUrl: http://sx-keycloak-headless.keycloak.svc.cluster.local:8080 loginRealm: kubrix realm: kubrix clientId: backstage diff --git a/platform-apps/charts/backstage/values-k3d.yaml b/platform-apps/charts/backstage/values-k3d.yaml index b5601660a..2f06e8d43 100644 --- a/platform-apps/charts/backstage/values-k3d.yaml +++ b/platform-apps/charts/backstage/values-k3d.yaml @@ -140,7 +140,7 @@ backstage: # real metadataUrl -> local cluster lead to "ECONNREFUSED 127.0.0.1:443" - #24935 #metadataUrl: https://keycloak-127-0-0-1.nip.io/realms/kubrix #.well-known/openid-configuration can be ommited # workaround -> also set frontendUrl in keycloak realm - metadataUrl: http://keycloak-service.keycloak.svc.cluster.local:8080/realms/kubrix #.well-known/openid-configuration can be ommited + metadataUrl: http://sx-keycloak-headless.keycloak.svc.cluster.local:8080/realms/kubrix #.well-known/openid-configuration can be ommited callbackUrl: https://backstage-127-0-0-1.nip.io/api/auth/oidc/handler/frame clientId: backstage clientSecret: demosecret @@ -230,7 +230,7 @@ backstage: # real baseUrl -> local cluster lead to "ECONNREFUSED 127.0.0.1:443" #baseUrl: https://keycloak-127-0-0-1.nip.io # workaround - baseUrl: http://keycloak-service.keycloak.svc.cluster.local:8080 + baseUrl: http://sx-keycloak-headless.keycloak.svc.cluster.local:8080 loginRealm: kubrix realm: kubrix clientId: backstage @@ -365,4 +365,4 @@ backstage: enabled: true ## pgdb cluster: - enabled: false \ No newline at end of file + enabled: false From 42acfbc1c5246e3f6995623c08a7c4ad992f6a04 Mon Sep 17 00:00:00 2001 From: phac008 Date: Tue, 4 Mar 2025 10:42:31 +0100 Subject: [PATCH 18/26] recheck crossplane healthcheck Signed-off-by: phac008 --- platform-apps/charts/argocd/values-k3d.yaml | 116 ++++++++++++++++++++ 1 file changed, 116 insertions(+) diff --git a/platform-apps/charts/argocd/values-k3d.yaml b/platform-apps/charts/argocd/values-k3d.yaml index 27f57fe13..89b11b7e4 100644 --- a/platform-apps/charts/argocd/values-k3d.yaml +++ b/platform-apps/charts/argocd/values-k3d.yaml @@ -32,6 +32,122 @@ argo-cd: end return hs + "*.upbound.io/*": + health.lua: | + health_status = { + status = "Progressing", + message = "Provisioning ..." + } + local function contains (table, val) + for i, v in ipairs(table) do + if v == val then + return true + end + end + return false + end + local has_no_status = { + "ProviderConfig", + "ProviderConfigUsage" + } + if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then + health_status.status = "Healthy" + health_status.message = "Resource is up-to-date." + return health_status + end + if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then + if obj.kind == "ProviderConfig" and obj.status.users ~= nil then + health_status.status = "Healthy" + health_status.message = "Resource is in use." + return health_status + end + return health_status + end + for i, condition in ipairs(obj.status.conditions) do + if condition.type == "LastAsyncOperation" then + if condition.status == "False" then + health_status.status = "Degraded" + health_status.message = condition.message + return health_status + end + end + if condition.type == "Synced" then + if condition.status == "False" then + health_status.status = "Degraded" + health_status.message = condition.message + return health_status + end + end + if condition.type == "Ready" then + if condition.status == "True" then + health_status.status = "Healthy" + health_status.message = "Resource is up-to-date." + return health_status + end + end + end + return health_status + "*.crossplane.io/*": + health.lua: | + health_status = { + status = "Progressing", + message = "Provisioning ..." + } + local function contains (table, val) + for i, v in ipairs(table) do + if v == val then + return true + end + end + return false + end + local has_no_status = { + "Composition", + "CompositionRevision", + "DeploymentRuntimeConfig", + "ControllerConfig", + "ProviderConfig", + "ProviderConfigUsage" + } + if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then + health_status.status = "Healthy" + health_status.message = "Resource is up-to-date." + return health_status + end + if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then + if obj.kind == "ProviderConfig" and obj.status.users ~= nil then + health_status.status = "Healthy" + health_status.message = "Resource is in use." + return health_status + end + return health_status + end + for i, condition in ipairs(obj.status.conditions) do + if condition.type == "LastAsyncOperation" then + if condition.status == "False" then + health_status.status = "Degraded" + health_status.message = condition.message + return health_status + end + end + if condition.type == "Synced" then + if condition.status == "False" then + health_status.status = "Degraded" + health_status.message = condition.message + return health_status + end + end + if contains({"Ready", "Healthy", "Offered", "Established"}, condition.type) then + if condition.status == "True" then + health_status.status = "Healthy" + health_status.message = "Resource is up-to-date." + return health_status + end + end + end + return health_status + + rbac: policy.csv: | p, backstage, applications, get, */*, allow From fa60658c6f4c348c4238fc0bc31e29995558d6fb Mon Sep 17 00:00:00 2001 From: phac008 Date: Tue, 4 Mar 2025 18:27:06 +0100 Subject: [PATCH 19/26] reorder to prevent degraded status Signed-off-by: phac008 --- .../charts/keycloak/templates/2faflow.yaml | 18 +++++++++--------- .../cp-keycloak-backstage-client.yaml | 2 +- .../templates/cp-keycloak-clientscope.yaml | 4 ++-- ...p-keycloak-default-clientroles-grafana.yaml | 6 +++--- ...eycloak-default-clientscopes-backstage.yaml | 2 +- ...-keycloak-default-clientscopes-grafana.yaml | 2 +- ...-keycloak-default-clientscopes-pgadmin.yaml | 2 +- ...cp-keycloak-default-clientscopes-vault.yaml | 2 +- .../templates/cp-keycloak-grafana-client.yaml | 2 +- .../cp-keycloak-grafana-group-roles.yaml | 2 +- .../templates/cp-keycloak-group-roles.yaml | 2 +- .../keycloak/templates/cp-keycloak-groups.yaml | 2 +- .../keycloak/templates/cp-keycloak-member.yaml | 4 ++-- .../templates/cp-keycloak-pgadmin-client.yaml | 2 +- .../cp-keycloak-protocolmapper-grafana.yaml | 2 +- .../templates/cp-keycloak-protocolmapper.yaml | 2 +- .../keycloak/templates/cp-keycloak-realm.yaml | 1 + .../keycloak/templates/cp-keycloak-users.yaml | 2 +- .../templates/cp-keycloak-vault-client.yaml | 2 +- .../charts/keycloak/templates/xr.yaml | 1 + 20 files changed, 32 insertions(+), 30 deletions(-) diff --git a/platform-apps/charts/keycloak/templates/2faflow.yaml b/platform-apps/charts/keycloak/templates/2faflow.yaml index 9bebdc069..57a8b48b2 100644 --- a/platform-apps/charts/keycloak/templates/2faflow.yaml +++ b/platform-apps/charts/keycloak/templates/2faflow.yaml @@ -6,7 +6,7 @@ metadata: labels: platform-engineer.cloud/role: 2faotprole annotations: - argocd.argoproj.io/sync-wave: "2" + argocd.argoproj.io/sync-wave: "6" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: deletionPolicy: Delete @@ -26,7 +26,7 @@ metadata: labels: platform-engineer.cloud/flow: 2faflow annotations: - argocd.argoproj.io/sync-wave: "2" + argocd.argoproj.io/sync-wave: "6" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: deletionPolicy: Delete @@ -45,7 +45,7 @@ kind: Execution metadata: name: 2fa-ex1 annotations: - argocd.argoproj.io/sync-wave: "3" + argocd.argoproj.io/sync-wave: "7" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: forProvider: @@ -66,7 +66,7 @@ kind: Execution metadata: name: 2fa-ex2 annotations: - argocd.argoproj.io/sync-wave: "4" + argocd.argoproj.io/sync-wave: "8" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: forProvider: @@ -87,7 +87,7 @@ kind: Execution metadata: name: 2fa-ex3 annotations: - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "9" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: forProvider: @@ -110,7 +110,7 @@ metadata: labels: platform-engineer.cloud/execution: 2fa-ex4 annotations: - argocd.argoproj.io/sync-wave: "6" + argocd.argoproj.io/sync-wave: "10" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: forProvider: @@ -131,7 +131,7 @@ kind: ExecutionConfig metadata: name: 2fa-ex4-conf annotations: - argocd.argoproj.io/sync-wave: "7" + argocd.argoproj.io/sync-wave: "11" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: forProvider: @@ -153,7 +153,7 @@ kind: Bindings metadata: name: 2fa-browser-flow-binding annotations: - argocd.argoproj.io/sync-wave: "8" + argocd.argoproj.io/sync-wave: "12" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: forProvider: @@ -175,7 +175,7 @@ metadata: name: backstage-{{ $group.name }}-2fa-roles annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "7" spec: forProvider: exhaustive: false diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-backstage-client.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-backstage-client.yaml index 6cdbcd73f..b224c88f4 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-backstage-client.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-backstage-client.yaml @@ -4,7 +4,7 @@ kind: Client metadata: name: backstage annotations: - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "5" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: deletionPolicy: Delete diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-clientscope.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-clientscope.yaml index a58feebfe..3d601c841 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-clientscope.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-clientscope.yaml @@ -3,7 +3,7 @@ kind: ClientScope metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "2" labels: platform-engineer.cloud/clientscope: groups name: openid-client-scope-groups @@ -24,7 +24,7 @@ kind: ClientScope metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "2" labels: platform-engineer.cloud/clientscope: groups name: openid-client-scope-openid diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientroles-grafana.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientroles-grafana.yaml index d740543c2..630b176ec 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientroles-grafana.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientroles-grafana.yaml @@ -3,7 +3,7 @@ kind: Role metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "5" labels: platform-engineer.cloud/role: grafana-viewer name: client-default-role-grafana-viewer @@ -23,7 +23,7 @@ kind: Role metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "5" labels: platform-engineer.cloud/role: grafana-editor name: client-default-role-grafana-editor @@ -43,7 +43,7 @@ kind: Role metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "5" labels: platform-engineer.cloud/role: grafana-admin name: client-default-role-grafana-admin diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-backstage.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-backstage.yaml index 2b0d98afa..106cb0ac7 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-backstage.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-backstage.yaml @@ -3,7 +3,7 @@ kind: ClientDefaultScopes metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "5" name: client-default-scopes spec: forProvider: diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-grafana.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-grafana.yaml index b19019a5a..6ba8cbb45 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-grafana.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-grafana.yaml @@ -3,7 +3,7 @@ kind: ClientDefaultScopes metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "5" name: client-default-scopes-grafana spec: forProvider: diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-pgadmin.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-pgadmin.yaml index e2e221496..3f264655b 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-pgadmin.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-pgadmin.yaml @@ -3,7 +3,7 @@ kind: ClientDefaultScopes metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "5" name: client-default-scopes-pgadmin spec: forProvider: diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml index 6091b8608..8856e1551 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml @@ -3,7 +3,7 @@ kind: ClientDefaultScopes metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "5" name: client-default-scopes-vault spec: forProvider: diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-client.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-client.yaml index 646bfb99e..40e48d39e 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-client.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-client.yaml @@ -4,7 +4,7 @@ kind: Client metadata: name: grafana annotations: - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "5" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: deletionPolicy: Delete diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml index 1f7d5dacc..7bb43e669 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml @@ -7,7 +7,7 @@ metadata: name: grafana-group-roles-{{ $group.name }}-{{ $role }} annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "4" spec: deletionPolicy: Delete forProvider: diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-group-roles.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-group-roles.yaml index 9925291d9..0ec127f73 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-group-roles.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-group-roles.yaml @@ -4,7 +4,7 @@ metadata: name: backstage-default-group-roles annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "4" spec: deletionPolicy: Delete forProvider: diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-groups.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-groups.yaml index 547330653..79471d846 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-groups.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-groups.yaml @@ -6,7 +6,7 @@ metadata: name: {{ $group.name }} annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "3" spec: forProvider: realmId: {{ $.Values.kubrix.keycloak.realm.realmid }} diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-member.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-member.yaml index f731792c9..a69977ebc 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-member.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-member.yaml @@ -4,7 +4,7 @@ metadata: name: backstage-admin-memberships annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "4" spec: forProvider: groupIdRef: @@ -23,7 +23,7 @@ metadata: name: backstage-{{ $group.name }}-users-memberships annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "4" spec: forProvider: groupIdRef: diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-pgadmin-client.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-pgadmin-client.yaml index b9ff331fa..0145b00c5 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-pgadmin-client.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-pgadmin-client.yaml @@ -4,7 +4,7 @@ kind: Client metadata: name: pgadmin annotations: - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "5" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: deletionPolicy: Delete diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-protocolmapper-grafana.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-protocolmapper-grafana.yaml index 39e2e4a1a..448b5511a 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-protocolmapper-grafana.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-protocolmapper-grafana.yaml @@ -4,7 +4,7 @@ metadata: name: openid-user-attribute-mapper-grafana annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "3" spec: forProvider: clientScopeIdSelector: diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-protocolmapper.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-protocolmapper.yaml index 428710b81..875100489 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-protocolmapper.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-protocolmapper.yaml @@ -4,7 +4,7 @@ metadata: name: openid-user-attribute-mapper annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "3" spec: forProvider: clientScopeIdSelector: diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-realm.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-realm.yaml index ffe08dbcd..ddc302087 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-realm.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-realm.yaml @@ -8,6 +8,7 @@ metadata: annotations: link.argocd.argoproj.io/external-link: https://keycloak{{ .Values.kubrix.keycloak.fqdn }}/admin/master/console/#/{{ .Values.kubrix.keycloak.realm.realmid }} argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "1" spec: forProvider: realm: {{ .Values.kubrix.keycloak.realm.realmid }} diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-users.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-users.yaml index e8e2b3462..c51cdc53f 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-users.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-users.yaml @@ -6,7 +6,7 @@ metadata: name: {{ $user.name }} annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "2" spec: forProvider: realmId: {{ $.Values.kubrix.keycloak.realm.realmid }} diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-vault-client.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-vault-client.yaml index 2bffa4612..64bd92868 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-vault-client.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-vault-client.yaml @@ -4,7 +4,7 @@ kind: Client metadata: name: vault annotations: - argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-wave: "5" argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true spec: deletionPolicy: Delete diff --git a/platform-apps/charts/keycloak/templates/xr.yaml b/platform-apps/charts/keycloak/templates/xr.yaml index f97c02cc7..d25cca8ce 100644 --- a/platform-apps/charts/keycloak/templates/xr.yaml +++ b/platform-apps/charts/keycloak/templates/xr.yaml @@ -4,6 +4,7 @@ metadata: name: keycloak-builtin-objects-{{ .Values.kubrix.keycloak.realm.realmid }} annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "2" spec: providerConfigName: sx-keycloak-config providerSecretName: keycloak-credentials From 2bec3e8bc3425424f47bcae69a3144293cb5962e Mon Sep 17 00:00:00 2001 From: phac008 Date: Tue, 4 Mar 2025 18:53:49 +0100 Subject: [PATCH 20/26] reorder member and group roles Signed-off-by: phac008 --- .../keycloak/templates/cp-keycloak-grafana-group-roles.yaml | 2 +- platform-apps/charts/keycloak/templates/cp-keycloak-member.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml index 7bb43e669..8688acbf7 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml @@ -7,7 +7,7 @@ metadata: name: grafana-group-roles-{{ $group.name }}-{{ $role }} annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "4" + argocd.argoproj.io/sync-wave: "6" spec: deletionPolicy: Delete forProvider: diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-member.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-member.yaml index a69977ebc..c46d985d7 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-member.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-member.yaml @@ -4,7 +4,7 @@ metadata: name: backstage-admin-memberships annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "4" + argocd.argoproj.io/sync-wave: "6" spec: forProvider: groupIdRef: From baa6c89d8a9225ab47e9e16dd4de137ab7ce57f7 Mon Sep 17 00:00:00 2001 From: phac008 Date: Tue, 4 Mar 2025 19:50:35 +0100 Subject: [PATCH 21/26] scopes after clients Signed-off-by: phac008 --- .../templates/cp-keycloak-default-clientroles-grafana.yaml | 6 +++--- .../cp-keycloak-default-clientscopes-backstage.yaml | 2 +- .../templates/cp-keycloak-default-clientscopes-grafana.yaml | 2 +- .../templates/cp-keycloak-default-clientscopes-pgadmin.yaml | 2 +- .../templates/cp-keycloak-default-clientscopes-vault.yaml | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientroles-grafana.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientroles-grafana.yaml index 630b176ec..90cd6aafa 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientroles-grafana.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientroles-grafana.yaml @@ -3,7 +3,7 @@ kind: Role metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "6" labels: platform-engineer.cloud/role: grafana-viewer name: client-default-role-grafana-viewer @@ -23,7 +23,7 @@ kind: Role metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "6" labels: platform-engineer.cloud/role: grafana-editor name: client-default-role-grafana-editor @@ -43,7 +43,7 @@ kind: Role metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "6" labels: platform-engineer.cloud/role: grafana-admin name: client-default-role-grafana-admin diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-backstage.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-backstage.yaml index 106cb0ac7..cda4c28bb 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-backstage.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-backstage.yaml @@ -3,7 +3,7 @@ kind: ClientDefaultScopes metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "6" name: client-default-scopes spec: forProvider: diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-grafana.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-grafana.yaml index 6ba8cbb45..ce164ed1b 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-grafana.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-grafana.yaml @@ -3,7 +3,7 @@ kind: ClientDefaultScopes metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "6" name: client-default-scopes-grafana spec: forProvider: diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-pgadmin.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-pgadmin.yaml index 3f264655b..cc46df475 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-pgadmin.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-pgadmin.yaml @@ -3,7 +3,7 @@ kind: ClientDefaultScopes metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "6" name: client-default-scopes-pgadmin spec: forProvider: diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml index 8856e1551..f86552c86 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-default-clientscopes-vault.yaml @@ -3,7 +3,7 @@ kind: ClientDefaultScopes metadata: annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "5" + argocd.argoproj.io/sync-wave: "6" name: client-default-scopes-vault spec: forProvider: From ac347aae350dc3b55a4b0f7af1d6c1af19a65995 Mon Sep 17 00:00:00 2001 From: phac008 Date: Tue, 4 Mar 2025 20:16:29 +0100 Subject: [PATCH 22/26] group Roles after role Signed-off-by: phac008 --- .../keycloak/templates/cp-keycloak-grafana-group-roles.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml b/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml index 8688acbf7..6c6aca709 100644 --- a/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml +++ b/platform-apps/charts/keycloak/templates/cp-keycloak-grafana-group-roles.yaml @@ -7,7 +7,7 @@ metadata: name: grafana-group-roles-{{ $group.name }}-{{ $role }} annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true - argocd.argoproj.io/sync-wave: "6" + argocd.argoproj.io/sync-wave: "7" spec: deletionPolicy: Delete forProvider: From 5a9b20672218e99d17fe004ba547374407e0b646 Mon Sep 17 00:00:00 2001 From: Johannes Kleinlercher Date: Tue, 4 Mar 2025 21:44:30 +0100 Subject: [PATCH 23/26] try new keycloak provider version --- platform-apps/charts/keycloak/templates/cp-provider.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform-apps/charts/keycloak/templates/cp-provider.yaml b/platform-apps/charts/keycloak/templates/cp-provider.yaml index f2848bb2c..2ca8174ba 100644 --- a/platform-apps/charts/keycloak/templates/cp-provider.yaml +++ b/platform-apps/charts/keycloak/templates/cp-provider.yaml @@ -6,4 +6,4 @@ metadata: annotations: argocd.argoproj.io/sync-wave: "-10" spec: - package: xpkg.upbound.io/crossplane-contrib/provider-keycloak:v1.11.0 \ No newline at end of file + package: xpkg.upbound.io/crossplane-contrib/provider-keycloak:v1.12.0 From 68d243a36ac3f9e0b2bd0c2b5acc197cb3429fe9 Mon Sep 17 00:00:00 2001 From: phac008 Date: Wed, 5 Mar 2025 08:08:15 +0100 Subject: [PATCH 24/26] speed up flow Signed-off-by: phac008 --- .../charts/keycloak/templates/comp.yaml | 2 +- .../charts/keycloak/templates/func.yaml | 16 ---------------- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/platform-apps/charts/keycloak/templates/comp.yaml b/platform-apps/charts/keycloak/templates/comp.yaml index 12903e857..f40d0fa39 100644 --- a/platform-apps/charts/keycloak/templates/comp.yaml +++ b/platform-apps/charts/keycloak/templates/comp.yaml @@ -3,7 +3,7 @@ kind: Composition metadata: name: keycloak-builtin-objects annotations: - argocd.argoproj.io/sync-wave: "-1" + argocd.argoproj.io/sync-wave: "11" spec: compositeTypeRef: apiVersion: keycloak.crossplane.io/v1alpha1 diff --git a/platform-apps/charts/keycloak/templates/func.yaml b/platform-apps/charts/keycloak/templates/func.yaml index 157968811..2abee6659 100644 --- a/platform-apps/charts/keycloak/templates/func.yaml +++ b/platform-apps/charts/keycloak/templates/func.yaml @@ -3,35 +3,19 @@ apiVersion: pkg.crossplane.io/v1beta1 kind: Function metadata: name: function-extra-resources - annotations: - argocd.argoproj.io/sync-wave: "-2" - # This tells crossplane beta render to connect to the function locally. - #render.crossplane.io/runtime: Development spec: - # This is ignored when using the Development runtime. package: xpkg.upbound.io/crossplane-contrib/function-extra-resources:v0.0.3 --- apiVersion: pkg.crossplane.io/v1beta1 kind: Function metadata: - name: function-auto-ready - annotations: - argocd.argoproj.io/sync-wave: "-2" - # This tells crossplane beta render to connect to the function locally. - #render.crossplane.io/runtime: Development spec: - # This is ignored when using the Development runtime. package: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.2.1 --- apiVersion: pkg.crossplane.io/v1beta1 kind: Function metadata: name: function-keycloak-builtin-objects - annotations: - argocd.argoproj.io/sync-wave: "-2" - # # This tells crossplane beta render to connect to the function locally. - # render.crossplane.io/runtime: Development spec: - # This is ignored when using the Development runtime. package: registry.gitlab.com/corewire/images/crossplane/function-keycloak-builtin-objects:v1.0.0 packagePullPolicy: Always From 6af031b9895893f4176b145092308c72a45d0717 Mon Sep 17 00:00:00 2001 From: phac008 Date: Wed, 5 Mar 2025 08:20:51 +0100 Subject: [PATCH 25/26] composition move Signed-off-by: phac008 --- platform-apps/charts/keycloak/templates/comp.yaml | 2 +- platform-apps/charts/keycloak/templates/func.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/platform-apps/charts/keycloak/templates/comp.yaml b/platform-apps/charts/keycloak/templates/comp.yaml index f40d0fa39..f19c6dccc 100644 --- a/platform-apps/charts/keycloak/templates/comp.yaml +++ b/platform-apps/charts/keycloak/templates/comp.yaml @@ -3,7 +3,7 @@ kind: Composition metadata: name: keycloak-builtin-objects annotations: - argocd.argoproj.io/sync-wave: "11" + argocd.argoproj.io/sync-wave: "1" spec: compositeTypeRef: apiVersion: keycloak.crossplane.io/v1alpha1 diff --git a/platform-apps/charts/keycloak/templates/func.yaml b/platform-apps/charts/keycloak/templates/func.yaml index 2abee6659..265ac94de 100644 --- a/platform-apps/charts/keycloak/templates/func.yaml +++ b/platform-apps/charts/keycloak/templates/func.yaml @@ -9,6 +9,7 @@ spec: apiVersion: pkg.crossplane.io/v1beta1 kind: Function metadata: + name: function-auto-ready spec: package: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.2.1 --- From 7e19cbdcfbe86d6a09b1716ae5302ba8e6bcc776 Mon Sep 17 00:00:00 2001 From: phac008 Date: Fri, 7 Mar 2025 12:34:18 +0100 Subject: [PATCH 26/26] remove crossplane argocd monitoring, will be added with another request Signed-off-by: phac008 --- platform-apps/charts/argocd/values-k3d.yaml | 116 -------------------- 1 file changed, 116 deletions(-) diff --git a/platform-apps/charts/argocd/values-k3d.yaml b/platform-apps/charts/argocd/values-k3d.yaml index 89b11b7e4..27f57fe13 100644 --- a/platform-apps/charts/argocd/values-k3d.yaml +++ b/platform-apps/charts/argocd/values-k3d.yaml @@ -32,122 +32,6 @@ argo-cd: end return hs - "*.upbound.io/*": - health.lua: | - health_status = { - status = "Progressing", - message = "Provisioning ..." - } - local function contains (table, val) - for i, v in ipairs(table) do - if v == val then - return true - end - end - return false - end - local has_no_status = { - "ProviderConfig", - "ProviderConfigUsage" - } - if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then - health_status.status = "Healthy" - health_status.message = "Resource is up-to-date." - return health_status - end - if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then - if obj.kind == "ProviderConfig" and obj.status.users ~= nil then - health_status.status = "Healthy" - health_status.message = "Resource is in use." - return health_status - end - return health_status - end - for i, condition in ipairs(obj.status.conditions) do - if condition.type == "LastAsyncOperation" then - if condition.status == "False" then - health_status.status = "Degraded" - health_status.message = condition.message - return health_status - end - end - if condition.type == "Synced" then - if condition.status == "False" then - health_status.status = "Degraded" - health_status.message = condition.message - return health_status - end - end - if condition.type == "Ready" then - if condition.status == "True" then - health_status.status = "Healthy" - health_status.message = "Resource is up-to-date." - return health_status - end - end - end - return health_status - "*.crossplane.io/*": - health.lua: | - health_status = { - status = "Progressing", - message = "Provisioning ..." - } - local function contains (table, val) - for i, v in ipairs(table) do - if v == val then - return true - end - end - return false - end - local has_no_status = { - "Composition", - "CompositionRevision", - "DeploymentRuntimeConfig", - "ControllerConfig", - "ProviderConfig", - "ProviderConfigUsage" - } - if obj.status == nil or next(obj.status) == nil and contains(has_no_status, obj.kind) then - health_status.status = "Healthy" - health_status.message = "Resource is up-to-date." - return health_status - end - if obj.status == nil or next(obj.status) == nil or obj.status.conditions == nil then - if obj.kind == "ProviderConfig" and obj.status.users ~= nil then - health_status.status = "Healthy" - health_status.message = "Resource is in use." - return health_status - end - return health_status - end - for i, condition in ipairs(obj.status.conditions) do - if condition.type == "LastAsyncOperation" then - if condition.status == "False" then - health_status.status = "Degraded" - health_status.message = condition.message - return health_status - end - end - if condition.type == "Synced" then - if condition.status == "False" then - health_status.status = "Degraded" - health_status.message = condition.message - return health_status - end - end - if contains({"Ready", "Healthy", "Offered", "Established"}, condition.type) then - if condition.status == "True" then - health_status.status = "Healthy" - health_status.message = "Resource is up-to-date." - return health_status - end - end - end - return health_status - - rbac: policy.csv: | p, backstage, applications, get, */*, allow