From 9a85df42fbde0710a843e3fc0a88d053a83350cd Mon Sep 17 00:00:00 2001 From: Chris Date: Thu, 5 Aug 2021 16:43:15 +0200 Subject: [PATCH 1/3] Add guide how to install on OCP4 --- .../ROOT/pages/how-tos/openshift-4.adoc | 38 +++++++++++++++++++ docs/modules/ROOT/partials/nav.adoc | 1 + 2 files changed, 39 insertions(+) create mode 100644 docs/modules/ROOT/pages/how-tos/openshift-4.adoc diff --git a/docs/modules/ROOT/pages/how-tos/openshift-4.adoc b/docs/modules/ROOT/pages/how-tos/openshift-4.adoc new file mode 100644 index 00000000..502c1a10 --- /dev/null +++ b/docs/modules/ROOT/pages/how-tos/openshift-4.adoc @@ -0,0 +1,38 @@ += Installing on OpenShift 4 + +This guide describes how to install this component on OpenShift 4. + +== Parameters for Keycloak + +You need to disable some security context fields, as OpenShift sets those automatically. + +[source,yaml,subs="attributes+"] +---- +parameters: + keycloak: + helm_values: + podSecurityContext: null + securityContext: null + pgchecker: + securityContext: null +---- + +== Parameters for built-in Postgresql database + +If you are using the built-in database provider (by default unless `keycloak.database.provider` is overridden) you also need to adjust the following parameters. + +[source,yaml,subs="attributes+"] +---- +parameters: + keycloak: + helm_values: + postgresql: + securityContext: + enabled: false + volumePermissions: + securityContext: + runAsUser: auto + shmVolume: + chmod: + enabled: false +---- diff --git a/docs/modules/ROOT/partials/nav.adoc b/docs/modules/ROOT/partials/nav.adoc index 8c621d9f..bdb7db8d 100644 --- a/docs/modules/ROOT/partials/nav.adoc +++ b/docs/modules/ROOT/partials/nav.adoc @@ -14,6 +14,7 @@ * xref:how-tos/upgrade-1.x-to-2.x.adoc[Upgrade 1.x to 2.x] * xref:how-tos/upgrade-2.x-to-3.x.adoc[Upgrade 2.x to 3.x] * xref:how-tos/upgrade-3.x-to-4.x.adoc[Upgrade 3.x to 4.x] +* xref:how-tos/openshift-4.adoc[Install on OpenShift 4] * xref:how-tos/pin-versions.adoc[Pin versions] .Explanations From 3fefbb731bcaf125305f5314ed4a5c719a7356b6 Mon Sep 17 00:00:00 2001 From: Chris Date: Fri, 6 Aug 2021 10:14:33 +0200 Subject: [PATCH 2/3] Ignore diff in ServiceAccount for image pull secrets OpenShift adds image pull secrets but that won't sync in ArgoCD. --- component/app.jsonnet | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/component/app.jsonnet b/component/app.jsonnet index 173994a4..9fb243aa 100644 --- a/component/app.jsonnet +++ b/component/app.jsonnet @@ -4,7 +4,19 @@ local params = inv.parameters.keycloak; local argocd = import 'lib/argocd.libjsonnet'; local instance = inv.parameters._instance; -local app = argocd.App(instance, params.namespace); +local app = argocd.App(instance, params.namespace) { + spec+: { + ignoreDifferences+: [ + { + group: '', + kind: 'ServiceAccount', + jsonPointers: [ + '/imagePullSecrets', + ], + }, + ], + }, +}; { [instance]: app, From cb286c744356356f0f27524fe61f5f47f268f217 Mon Sep 17 00:00:00 2001 From: Chris Date: Fri, 6 Aug 2021 14:50:20 +0200 Subject: [PATCH 3/3] OCP4: Use edge termination --- docs/modules/ROOT/pages/how-tos/openshift-4.adoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/modules/ROOT/pages/how-tos/openshift-4.adoc b/docs/modules/ROOT/pages/how-tos/openshift-4.adoc index 502c1a10..c1049844 100644 --- a/docs/modules/ROOT/pages/how-tos/openshift-4.adoc +++ b/docs/modules/ROOT/pages/how-tos/openshift-4.adoc @@ -10,12 +10,15 @@ You need to disable some security context fields, as OpenShift sets those automa ---- parameters: keycloak: + ingress: + servicePort: http <1> helm_values: podSecurityContext: null securityContext: null pgchecker: securityContext: null ---- +<1> It's not possible to use the `reencrypt` termination if using Ingress with a self-signed destination certificate. == Parameters for built-in Postgresql database