-
Notifications
You must be signed in to change notification settings - Fork 605
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Reinhard Nägele <[email protected]>
- Loading branch information
1 parent
65389c7
commit 975bb85
Showing
25 changed files
with
1,281 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
name: keycloak | ||
version: 4.10.2 | ||
appVersion: 5.0.0 | ||
description: Open Source Identity and Access Management For Modern Applications and Services | ||
keywords: | ||
- sso | ||
- idm | ||
- openid connect | ||
- saml | ||
- kerberos | ||
- ldap | ||
home: https://www.keycloak.org/ | ||
icon: https://www.keycloak.org/resources/images/keycloak_logo_480x108.png | ||
sources: | ||
- https://github.com/jboss-dockerfiles/keycloak | ||
maintainers: | ||
- name: unguiculus | ||
email: [email protected] | ||
- name: thomasdarimont | ||
email: [email protected] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
approvers: | ||
- unguiculus | ||
- thomasdarimont | ||
reviewers: | ||
- unguiculus | ||
- thomasdarimont |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
keycloak: | ||
password: keycloak |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
keycloak: | ||
replicas: 2 | ||
password: keycloak | ||
persistence: | ||
deployPostgres: true | ||
dbVendor: postgres |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
dependencies: | ||
- name: postgresql | ||
repository: https://kubernetes-charts.storage.googleapis.com/ | ||
version: 0.15.0 | ||
digest: sha256:428d8302be9a566a3e77538af30c56b63e0bfc97dd01dd434f303f4434cb8100 | ||
generated: 2018-07-06T08:41:15.715456938+02:00 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
dependencies: | ||
- name: postgresql | ||
version: 0.15.0 | ||
repository: https://kubernetes-charts.storage.googleapis.com/ | ||
condition: keycloak.persistence.deployPostgres |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
# Configure datasource to use explicit query timeout in seconds | ||
/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=query-timeout,value=${env.DB_QUERY_TIMEOUT:300}) | ||
|
||
# Configure datasource to connection before use | ||
/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=validate-on-match,value=${env.DB_VALIDATE_ON_MATCH:true}) | ||
|
||
# Configure datasource to try all other connections before failing | ||
/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=use-fast-fail,value=${env.DB_USE_CAST_FAIL:false}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) | ||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) | ||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) | ||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) | ||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) | ||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners, value=${env.CACHE_OWNERS:2}) | ||
|
||
/subsystem=jgroups/channel=ee:write-attribute(name=stack, value=tcp) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# Allow log level to be configured via environment variable | ||
/subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=${env.WILDFLY_LOGLEVEL:INFO}) | ||
/subsystem=logging/root-logger=ROOT:write-attribute(name=level, value=${env.WILDFLY_LOGLEVEL:INFO}) | ||
|
||
# Add dedicated eventsListener config element to allow configuring elements. | ||
/subsystem=keycloak-server/spi=eventsListener:add() | ||
/subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:add(enabled=true) | ||
# Propagate success events to INFO instead of DEBUG, to expose successful logins for log analysis | ||
/subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.success-level,value=info) | ||
/subsystem=keycloak-server/spi=eventsListener/provider=jboss-logging:write-attribute(name=properties.error-level,value=warn) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
## Sets the node identifier to the node name (= pod name). Node identifiers have to be unique. They can have a | ||
## maximum length of 23 characters. Thus, the chart's fullname template truncates its length accordingly. | ||
/subsystem=transactions:write-attribute(name=node-identifier, value=${jboss.node.name}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
/socket-binding-group=standard-sockets/socket-binding=proxy-https:add(port=443) | ||
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket, value=proxy-https) | ||
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding, value=true) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
|
||
Keycloak can be accessed: | ||
|
||
* Within your cluster, at the following DNS name at port {{ .Values.keycloak.service.port }}: | ||
|
||
{{ template "keycloak.fullname" . }}-http.{{ .Release.Namespace }}.svc.cluster.local | ||
|
||
{{- if .Values.keycloak.ingress.enabled }} | ||
|
||
* From outside the cluster: | ||
|
||
{{- range .Values.keycloak.ingress.hosts }} | ||
- http{{ if $.Values.keycloak.ingress.tls }}s{{ end }}://{{ . }} | ||
{{- end }} | ||
|
||
{{- else }} | ||
|
||
* From outside the cluster, run these commands in the same shell: | ||
|
||
{{- if contains "NodePort" .Values.keycloak.service.type }} | ||
|
||
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "keycloak.fullname" . }}) | ||
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") | ||
echo http://$NODE_IP:$NODE_PORT | ||
|
||
{{- else if contains "LoadBalancer" .Values.keycloak.service.type }} | ||
|
||
NOTE: | ||
It may take a few minutes for the LoadBalancer IP to be available. | ||
You can watch the status of by running 'kubectl get svc -w {{ template "keycloak.fullname" . }}' | ||
|
||
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "keycloak.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') | ||
echo http://$SERVICE_IP:{{ .Values.keycloak.service.port }} | ||
|
||
{{- else if contains "ClusterIP" .Values.keycloak.service.type }} | ||
|
||
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l app={{ template "keycloak.name" . }},release={{ .Release.Name }} -o jsonpath="{.items[0].metadata.name}") | ||
echo "Visit http://127.0.0.1:8080 to use Keycloak" | ||
kubectl port-forward --namespace {{ .Release.Namespace }} $POD_NAME 8080 | ||
|
||
{{- end }} | ||
|
||
{{- end }} | ||
|
||
{{- if .Release.IsInstall }} | ||
|
||
Login with the following credentials: | ||
Username: {{ .Values.keycloak.username }} | ||
|
||
To retrieve the initial user password run: | ||
kubectl get secret --namespace {{ .Release.Namespace }} {{ template "keycloak.fullname" . }}-http -o jsonpath="{.data.password}" | base64 --decode; echo | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
{{/* | ||
Expand the name of the chart. | ||
*/}} | ||
{{- define "keycloak.name" -}} | ||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create a default fully qualified app name. | ||
We truncate to 20 characters because this is used to set the node identifier in WildFly which is limited to | ||
23 characters. This allows for a replica suffix for up to 99 replicas. | ||
*/}} | ||
{{- define "keycloak.fullname" -}} | ||
{{- if .Values.fullnameOverride -}} | ||
{{- .Values.fullnameOverride | trunc 20 | trimSuffix "-" -}} | ||
{{- else -}} | ||
{{- $name := default .Chart.Name .Values.nameOverride -}} | ||
{{- if contains $name .Release.Name -}} | ||
{{- .Release.Name | trunc 20 | trimSuffix "-" -}} | ||
{{- else -}} | ||
{{- printf "%s-%s" .Release.Name $name | trunc 20 | trimSuffix "-" -}} | ||
{{- end -}} | ||
{{- end -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create chart name and version as used by the chart label. | ||
*/}} | ||
{{- define "keycloak.chart" -}} | ||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create a default fully qualified app name for the postgres requirement. | ||
*/}} | ||
{{- define "keycloak.postgresql.fullname" -}} | ||
{{- $postgresContext := dict "Values" .Values.postgresql "Release" .Release "Chart" (dict "Name" "postgresql") -}} | ||
{{ template "postgresql.fullname" $postgresContext }} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create the name for the database secret. | ||
*/}} | ||
{{- define "keycloak.externalDbSecret" -}} | ||
{{- if .Values.keycloak.persistence.existingSecret -}} | ||
{{- .Values.keycloak.persistence.existingSecret -}} | ||
{{- else -}} | ||
{{- template "keycloak.fullname" . -}}-db | ||
{{- end -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create the name for the password secret key. | ||
*/}} | ||
{{- define "keycloak.dbPasswordKey" -}} | ||
{{- if .Values.keycloak.persistence.existingSecret -}} | ||
{{- .Values.keycloak.persistence.existingSecretKey -}} | ||
{{- else -}} | ||
password | ||
{{- end -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create environment variables for database configuration. | ||
*/}} | ||
{{- define "keycloak.dbEnvVars" -}} | ||
{{- if .Values.keycloak.persistence.deployPostgres }} | ||
{{- if not (eq "postgres" .Values.keycloak.persistence.dbVendor) }} | ||
{{ fail (printf "ERROR: 'Setting keycloak.persistence.deployPostgres' to 'true' requires setting 'keycloak.persistence.dbVendor' to 'postgres' (is: '%s')!" .Values.keycloak.persistence.dbVendor) }} | ||
{{- end }} | ||
- name: DB_VENDOR | ||
value: postgres | ||
- name: DB_ADDR | ||
value: {{ template "keycloak.postgresql.fullname" . }} | ||
- name: DB_PORT | ||
value: "5432" | ||
- name: DB_DATABASE | ||
value: {{ .Values.postgresql.postgresDatabase | quote }} | ||
- name: DB_USER | ||
value: {{ .Values.postgresql.postgresUser | quote }} | ||
- name: DB_PASSWORD | ||
valueFrom: | ||
secretKeyRef: | ||
name: {{ template "keycloak.postgresql.fullname" . }} | ||
key: postgres-password | ||
{{- else }} | ||
- name: DB_VENDOR | ||
value: {{ .Values.keycloak.persistence.dbVendor | quote }} | ||
{{- if not (eq "h2" .Values.keycloak.persistence.dbVendor) }} | ||
- name: DB_ADDR | ||
value: {{ .Values.keycloak.persistence.dbHost | quote }} | ||
- name: DB_PORT | ||
value: {{ .Values.keycloak.persistence.dbPort | quote }} | ||
- name: DB_DATABASE | ||
value: {{ .Values.keycloak.persistence.dbName | quote }} | ||
- name: DB_USER | ||
value: {{ .Values.keycloak.persistence.dbUser | quote }} | ||
- name: DB_PASSWORD | ||
valueFrom: | ||
secretKeyRef: | ||
name: {{ template "keycloak.externalDbSecret" . }} | ||
key: {{ include "keycloak.dbPasswordKey" . | quote }} | ||
{{- end }} | ||
{{- end }} | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
{{- $highAvailability := gt (int .Values.keycloak.replicas) 1 -}} | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: {{ template "keycloak.fullname" . }} | ||
labels: | ||
app: {{ template "keycloak.name" . }} | ||
chart: {{ template "keycloak.chart" . }} | ||
release: "{{ .Release.Name }}" | ||
heritage: "{{ .Release.Service }}" | ||
data: | ||
keycloak.sh: | | ||
#!/usr/bin/env bash | ||
set -eu | ||
/opt/jboss/keycloak/bin/jboss-cli.sh --file=/scripts/keycloak.cli | ||
{{- with .Values.keycloak.preStartScript }} | ||
echo 'Running custom pre-start script...' | ||
{{ . | indent 4 }} | ||
{{- end }} | ||
|
||
exec /opt/jboss/tools/docker-entrypoint.sh -b 0.0.0.0 {{ .Values.keycloak.extraArgs }}{{- if $highAvailability }} -c standalone-ha.xml{{ else }} -c standalone.xml{{ end }} | ||
exit "$?" | ||
|
||
keycloak.cli: | | ||
embed-server {{- if $highAvailability }} --server-config=standalone-ha.xml{{ end }} --std-out=echo | ||
batch | ||
{{- if ne .Values.keycloak.basepath "auth" }} | ||
# Changes the base path to be /keycloak.basepath instead of /auth | ||
/subsystem=keycloak-server:write-attribute(name=web-context,value={{ if eq .Values.keycloak.basepath "" }}ROOT{{ else }}{{ .Values.keycloak.basepath }}{{ end }}) | ||
{{- if eq .Values.keycloak.basepath "" }} | ||
/subsystem=undertow/server=default-server/host=default-host:write-attribute(name=default-web-module,value=keycloak-server.war) | ||
{{- end }} | ||
{{ end }} | ||
|
||
{{- with .Values.keycloak.cli }} | ||
|
||
{{ tpl .nodeIdentifier $ | indent 4 }} | ||
|
||
{{ tpl .logging $ | indent 4 }} | ||
|
||
{{ tpl .reverseProxy $ | indent 4 }} | ||
|
||
{{ tpl .datasource $ | indent 4 }} | ||
|
||
{{- if $highAvailability }} | ||
{{ tpl .ha $ | indent 4 }} | ||
{{- end }} | ||
|
||
{{- with .custom }} | ||
{{ tpl . $ | indent 4 }} | ||
{{- end }} | ||
|
||
{{- end }} | ||
|
||
run-batch | ||
stop-embedded-server |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
{{- if and (not .Values.keycloak.persistence.deployPostgres) (not .Values.keycloak.persistence.existingSecret) -}} | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: {{ template "keycloak.fullname" . }}-db | ||
labels: | ||
app: {{ template "keycloak.name" . }} | ||
chart: {{ template "keycloak.chart" . }} | ||
heritage: {{ .Release.Service }} | ||
release: {{ .Release.Name }} | ||
type: Opaque | ||
data: | ||
{{ template "keycloak.dbPasswordKey" . }}: {{ .Values.keycloak.persistence.dbPassword | b64enc | quote }} | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
{{- $highAvailability := gt (int .Values.keycloak.replicas) 1 -}} | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: {{ template "keycloak.fullname" . }}-headless | ||
labels: | ||
app: {{ template "keycloak.name" . }} | ||
chart: {{ template "keycloak.chart" . }} | ||
release: "{{ .Release.Name }}" | ||
heritage: "{{ .Release.Service }}" | ||
spec: | ||
type: ClusterIP | ||
clusterIP: None | ||
ports: | ||
- name: http | ||
port: {{ .Values.keycloak.service.port }} | ||
targetPort: http | ||
protocol: TCP | ||
{{- if $highAvailability }} | ||
- name: jgroups | ||
port: {{ .Values.keycloak.service.jgroupsPort }} | ||
targetPort: jgroups | ||
protocol: TCP | ||
{{- end }} | ||
selector: | ||
app: {{ template "keycloak.name" . }} | ||
release: "{{ .Release.Name }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
{{- $service := .Values.keycloak.service -}} | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: {{ template "keycloak.fullname" . }}-http | ||
{{- with $service.annotations }} | ||
annotations: | ||
{{ toYaml . | indent 4 }} | ||
{{- end }} | ||
labels: | ||
app: {{ template "keycloak.name" . }} | ||
chart: {{ template "keycloak.chart" . }} | ||
release: "{{ .Release.Name }}" | ||
heritage: "{{ .Release.Service }}" | ||
{{- with $service.labels }} | ||
{{ toYaml . | indent 4 }} | ||
{{- end }} | ||
spec: | ||
type: {{ $service.type }} | ||
ports: | ||
- name: http | ||
port: {{ $service.port }} | ||
targetPort: http | ||
{{- if and (eq "NodePort" $service.type) $service.nodePort }} | ||
nodePort: {{ $service.nodePort }} | ||
{{- end }} | ||
protocol: TCP | ||
selector: | ||
app: {{ template "keycloak.name" . }} | ||
release: "{{ .Release.Name }}" |
Oops, something went wrong.