Import Keycloak chart (codecentric#5)

Signed-off-by: Reinhard Nägele <[email protected]>

Author: unguiculus

charts/keycloak/Chart.yaml

@@ -0,0 +1,20 @@
+name: keycloak
+version: 4.10.2
+appVersion: 5.0.0
+description: Open Source Identity and Access Management For Modern Applications and Services
+keywords:
+  - sso
+  - idm
+  - openid connect
+  - saml
+  - kerberos
+  - ldap
+home: https://www.keycloak.org/
+icon: https://www.keycloak.org/resources/images/keycloak_logo_480x108.png
+sources:
+  - https://github.com/jboss-dockerfiles/keycloak
+maintainers:
+  - name: unguiculus
+    email: [email protected]
+  - name: thomasdarimont
+    email: [email protected]

charts/keycloak/OWNERS

@@ -0,0 +1,6 @@
+approvers:
+- unguiculus
+- thomasdarimont
+reviewers:
+- unguiculus
+- thomasdarimont

charts/keycloak/README.md

@@ -0,0 +1,2 @@
+keycloak:
+  password: keycloak

charts/keycloak/ci/h2-values.yaml

@@ -0,0 +1,6 @@
+keycloak:
+  replicas: 2
+  password: keycloak
+  persistence:
+    deployPostgres: true
+    dbVendor: postgres

charts/keycloak/ci/postgres-ha-values.yaml

@@ -0,0 +1,6 @@
+dependencies:
+- name: postgresql
+  repository: https://kubernetes-charts.storage.googleapis.com/
+  version: 0.15.0
+digest: sha256:428d8302be9a566a3e77538af30c56b63e0bfc97dd01dd434f303f4434cb8100
+generated: 2018-07-06T08:41:15.715456938+02:00

charts/keycloak/requirements.lock

@@ -0,0 +1,5 @@
+dependencies:
+  - name: postgresql
+    version: 0.15.0
+    repository: https://kubernetes-charts.storage.googleapis.com/
+    condition: keycloak.persistence.deployPostgres

charts/keycloak/requirements.yaml

@@ -0,0 +1,8 @@
+# Configure datasource to use explicit query timeout in seconds
+/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=query-timeout,value=${env.DB_QUERY_TIMEOUT:300})
+
+# Configure datasource to connection before use
+/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=validate-on-match,value=${env.DB_VALIDATE_ON_MATCH:true})
+
+# Configure datasource to try all other connections before failing
+/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=use-fast-fail,value=${env.DB_USE_CAST_FAIL:false})

charts/keycloak/scripts/datasource.cli

@@ -0,0 +1,8 @@
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2})
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2})
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2})
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2})
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2})
+/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners, value=${env.CACHE_OWNERS:2})
+
+/subsystem=jgroups/channel=ee:write-attribute(name=stack, value=tcp)

charts/keycloak/scripts/ha.cli

@@ -0,0 +1,10 @@
+# Allow log level to be configured via environment variable
+/subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=${env.WILDFLY_LOGLEVEL:INFO})
+/subsystem=logging/root-logger=ROOT:write-attribute(name=level, value=${env.WILDFLY_LOGLEVEL:INFO})
+
+# Add dedicated eventsListener config element to allow configuring elements.
+/subsystem=keycloak-server/spi=eventsListener:add()
+/subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:add(enabled=true)
+# Propagate success events to INFO instead of DEBUG, to expose successful logins for log analysis
+/subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.success-level,value=info)
+/subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.error-level,value=warn)

charts/keycloak/scripts/logging.cli

@@ -0,0 +1,3 @@
+## Sets the node identifier to the node name (= pod name). Node identifiers have to be unique. They can have a
+## maximum length of 23 characters. Thus, the chart's fullname template truncates its length accordingly.
+/subsystem=transactions:write-attribute(name=node-identifier, value=${jboss.node.name})

charts/keycloak/scripts/node-identifier.cli

@@ -0,0 +1,3 @@
+/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443)
+/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket, value=proxy-https)
+/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding, value=true)

charts/keycloak/scripts/reverse-proxy.cli

@@ -0,0 +1,52 @@
+
+Keycloak can be accessed:
+
+* Within your cluster, at the following DNS name at port {{ .Values.keycloak.service.port }}:
+
+  {{ template "keycloak.fullname" . }}-http.{{ .Release.Namespace }}.svc.cluster.local
+
+{{- if .Values.keycloak.ingress.enabled }}
+
+* From outside the cluster:
+
+{{- range .Values.keycloak.ingress.hosts }}
+  - http{{ if $.Values.keycloak.ingress.tls }}s{{ end }}://{{ . }}
+{{- end }}
+
+{{- else }}
+
+* From outside the cluster, run these commands in the same shell:
+
+{{- if contains "NodePort" .Values.keycloak.service.type }}
+
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "keycloak.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+
+{{- else if contains "LoadBalancer" .Values.keycloak.service.type }}
+
+  NOTE:
+  It may take a few minutes for the LoadBalancer IP to be available.
+  You can watch the status of by running 'kubectl get svc -w {{ template "keycloak.fullname" . }}'
+
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "keycloak.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+  echo http://$SERVICE_IP:{{ .Values.keycloak.service.port }}
+
+{{- else if contains "ClusterIP" .Values.keycloak.service.type }}
+
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l app={{ template "keycloak.name" . }},release={{ .Release.Name }} -o jsonpath="{.items[0].metadata.name}")
+  echo "Visit http://127.0.0.1:8080 to use Keycloak"
+  kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME 8080
+
+{{- end }}
+
+{{- end }}
+
+{{- if .Release.IsInstall }}
+
+Login with the following credentials:
+Username: {{ .Values.keycloak.username }}
+
+To retrieve the initial user password run:
+kubectl get secret --namespace {{ .Release.Namespace }} {{ template "keycloak.fullname" . }}-http -o jsonpath="{.data.password}" | base64 --decode; echo
+{{- end }}

charts/keycloak/templates/NOTES.txt

@@ -0,0 +1,106 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "keycloak.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate to 20 characters because this is used to set the node identifier in WildFly which is limited to
+23 characters. This allows for a replica suffix for up to 99 replicas.
+*/}}
+{{- define "keycloak.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 20 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 20 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 20 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "keycloak.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name for the postgres requirement.
+*/}}
+{{- define "keycloak.postgresql.fullname" -}}
+{{- $postgresContext := dict "Values" .Values.postgresql "Release" .Release "Chart" (dict "Name" "postgresql") -}}
+{{ template "postgresql.fullname" $postgresContext }}
+{{- end -}}
+
+{{/*
+Create the name for the database secret.
+*/}}
+{{- define "keycloak.externalDbSecret" -}}
+{{- if .Values.keycloak.persistence.existingSecret -}}
+  {{- .Values.keycloak.persistence.existingSecret -}}
+{{- else -}}
+  {{- template "keycloak.fullname" . -}}-db
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name for the password secret key.
+*/}}
+{{- define "keycloak.dbPasswordKey" -}}
+{{- if .Values.keycloak.persistence.existingSecret -}}
+  {{- .Values.keycloak.persistence.existingSecretKey -}}
+{{- else -}}
+  password
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create environment variables for database configuration.
+*/}}
+{{- define "keycloak.dbEnvVars" -}}
+{{- if .Values.keycloak.persistence.deployPostgres }}
+{{- if not (eq "postgres" .Values.keycloak.persistence.dbVendor) }}
+{{ fail (printf "ERROR: 'Setting keycloak.persistence.deployPostgres' to 'true' requires setting 'keycloak.persistence.dbVendor' to 'postgres' (is: '%s')!" .Values.keycloak.persistence.dbVendor) }}
+{{- end }}
+- name: DB_VENDOR
+  value: postgres
+- name: DB_ADDR
+  value: {{ template "keycloak.postgresql.fullname" . }}
+- name: DB_PORT
+  value: "5432"
+- name: DB_DATABASE
+  value: {{ .Values.postgresql.postgresDatabase | quote }}
+- name: DB_USER
+  value: {{ .Values.postgresql.postgresUser | quote }}
+- name: DB_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ template "keycloak.postgresql.fullname" . }}
+      key: postgres-password
+{{- else }}
+- name: DB_VENDOR
+  value: {{ .Values.keycloak.persistence.dbVendor | quote }}
+{{- if not (eq "h2" .Values.keycloak.persistence.dbVendor) }}
+- name: DB_ADDR
+  value: {{ .Values.keycloak.persistence.dbHost | quote }}
+- name: DB_PORT
+  value: {{ .Values.keycloak.persistence.dbPort | quote }}
+- name: DB_DATABASE
+  value: {{ .Values.keycloak.persistence.dbName | quote }}
+- name: DB_USER
+  value: {{ .Values.keycloak.persistence.dbUser | quote }}
+- name: DB_PASSWORD
+  valueFrom:
+    secretKeyRef:
+      name: {{ template "keycloak.externalDbSecret" . }}
+      key: {{ include "keycloak.dbPasswordKey" . | quote }}
+{{- end }}
+{{- end }}
+{{- end -}}

charts/keycloak/templates/_helpers.tpl

@@ -0,0 +1,60 @@
+{{- $highAvailability := gt (int .Values.keycloak.replicas) 1 -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "keycloak.fullname" . }}
+  labels:
+    app: {{ template "keycloak.name" . }}
+    chart: {{ template "keycloak.chart" . }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+data:
+  keycloak.sh: |
+    #!/usr/bin/env bash
+
+    set -eu
+
+    /opt/jboss/keycloak/bin/jboss-cli.sh --file=/scripts/keycloak.cli
+
+  {{- with .Values.keycloak.preStartScript }}
+    echo 'Running custom pre-start script...'
+{{ . | indent 4 }}
+  {{- end }}
+
+    exec /opt/jboss/tools/docker-entrypoint.sh -b 0.0.0.0 {{ .Values.keycloak.extraArgs }}{{- if $highAvailability }} -c standalone-ha.xml{{ else }} -c standalone.xml{{ end }}
+    exit "$?"
+
+  keycloak.cli: |
+    embed-server {{- if $highAvailability }} --server-config=standalone-ha.xml{{ end }} --std-out=echo
+    batch
+
+{{- if ne .Values.keycloak.basepath "auth" }}
+    # Changes the base path to be /keycloak.basepath instead of /auth
+    /subsystem=keycloak-server:write-attribute(name=web-context,value={{ if eq .Values.keycloak.basepath "" }}ROOT{{ else }}{{ .Values.keycloak.basepath }}{{ end }})
+    {{- if eq .Values.keycloak.basepath "" }}
+    /subsystem=undertow/server=default-server/host=default-host:write-attribute(name=default-web-module,value=keycloak-server.war)
+    {{- end }}
+{{ end }}
+
+{{- with .Values.keycloak.cli }}
+
+{{ tpl .nodeIdentifier $ | indent 4 }}
+
+{{ tpl .logging $ | indent 4 }}
+
+{{ tpl .reverseProxy $ | indent 4 }}
+
+{{ tpl .datasource $ | indent 4 }}
+
+{{- if $highAvailability }}
+{{ tpl .ha $ | indent 4 }}
+{{- end }}
+
+{{- with .custom }}
+{{ tpl . $ | indent 4 }}
+{{- end }}
+
+{{- end }}
+
+    run-batch
+    stop-embedded-server

charts/keycloak/templates/configmap.yaml

@@ -0,0 +1,14 @@
+{{- if and (not .Values.keycloak.persistence.deployPostgres) (not .Values.keycloak.persistence.existingSecret) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "keycloak.fullname" . }}-db
+  labels:
+    app: {{ template "keycloak.name" . }}
+    chart: {{ template "keycloak.chart" . }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+type: Opaque
+data:
+  {{ template "keycloak.dbPasswordKey" . }}: {{ .Values.keycloak.persistence.dbPassword | b64enc | quote }}
+{{- end -}}

charts/keycloak/templates/db-secret.yaml

@@ -0,0 +1,27 @@
+{{- $highAvailability := gt (int .Values.keycloak.replicas) 1 -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "keycloak.fullname" . }}-headless
+  labels:
+    app: {{ template "keycloak.name" . }}
+    chart: {{ template "keycloak.chart" . }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+spec:
+  type: ClusterIP
+  clusterIP: None
+  ports:
+    - name: http
+      port: {{ .Values.keycloak.service.port }}
+      targetPort: http
+      protocol: TCP
+  {{- if $highAvailability }}
+    - name: jgroups
+      port: {{ .Values.keycloak.service.jgroupsPort }}
+      targetPort: jgroups
+      protocol: TCP
+  {{- end }}
+  selector:
+    app: {{ template "keycloak.name" . }}
+    release: "{{ .Release.Name }}"

charts/keycloak/templates/headless-service.yaml

@@ -0,0 +1,30 @@
+{{- $service := .Values.keycloak.service -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "keycloak.fullname" . }}-http
+{{- with $service.annotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+  labels:
+    app: {{ template "keycloak.name" . }}
+    chart: {{ template "keycloak.chart" . }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+{{- with $service.labels }}
+{{ toYaml . | indent 4 }}
+{{- end }}
+spec:
+  type: {{ $service.type }}
+  ports:
+    - name: http
+      port: {{ $service.port }}
+      targetPort: http
+    {{- if and (eq "NodePort" $service.type) $service.nodePort }}
+      nodePort: {{ $service.nodePort }}
+    {{- end }}
+      protocol: TCP
+  selector:
+    app: {{ template "keycloak.name" . }}
+    release: "{{ .Release.Name }}"