diff --git a/.tool-versions b/.tool-versions index 06c7839c..4e01de80 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1,6 +1,7 @@ nodejs 14.14.0 python 3.8.6 kubectl 1.18.0 +oc 4.7.5 helm 3.2.4 yarn 1.22.4 k6 0.34.1 diff --git a/helm/keycloak/Chart.yaml b/helm/keycloak/Chart.yaml index b0c73726..4c610249 100644 --- a/helm/keycloak/Chart.yaml +++ b/helm/keycloak/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v1 name: sso-keycloak -version: 0.1.6 +version: 0.1.7 appVersion: 0.1.0 description: Open Source Identity and Access Management For Modern Applications and Services diff --git a/helm/keycloak/README.md b/helm/keycloak/README.md index 1201775c..6a62fe3d 100644 --- a/helm/keycloak/README.md +++ b/helm/keycloak/README.md @@ -1,70 +1,74 @@ -# Keycloak Helm Chart +# SSO Keycloak Helm Chart -The helm chart installs `Secret` k8s objects with the release name `sso-keycloak`. +The `SSO Keycloak Helm Chart` provides a easy way to deploy (RedHat SSO)[https://access.redhat.com/products/red-hat-single-sign-on], which is specifically designed for BCGov SSO services, on Openshift. -## Installing the Chart +## Usages -To install the chart on a specific namespace. +### Add this chart repository -```bash -$ make install NAMESPACE= +```console +$ helm repo add sso-keycloak https://bcgov.github.io/sso-keycloak ``` -To upgrade the chart on a specific namespace. +### Install this chart repository -```bash -$ make upgrade NAMESPACE= +```console +$ helm install sso-keycloak/sso-keycloak [--namespace ] [--version ] [--values ./custom-values.yaml] ``` -To uninstall the chart on a specific namespace. +### Upgrade this chart repository -```bash -$ make uninstall NAMESPACE= +```console +$ helm upgrade sso-keycloak/sso-keycloak [--namespace ] [--version ] [--values ./custom-values.yaml] ``` -To lint the chart on a specific namespace. +### Uninstall this chart repository -```bash -$ make lint NAMESPACE= +```console +$ helm uninstall [--namespace ] ``` ## Configuration The following table lists the configurable parameters of the Keycloak chart and their default values. -Parameter | Description | Default ---- | --- | --- -`replicaCount` | Number of pods to create | `1` -`image.repository` | container image repository | `ghcr.io/bcgov/sso` -`image.tag` | container image tag | `dev` -`image.pullPolicy` | container image pull policy | `Always` -`nameOverride` | override for the chart name | `sso-keycloak` -`fullNameOverride` | override for the full chart name | `sso-keycloak` -`service.type` | type of service to create | `ClusterIP` -`service.port` | port of service | `8080` -`pingService.enabled` | enable DNS ping | `true` -`pingService.port` | exposed port of ping service | `8888` -`postgres.host` | host of postgres service | `sso-pgsql-master` -`postgres.dbName` | name of database | `rhsso` -`postgres.port` | exposed port of database | `5432` -`postgres.credentials.secret` | name of secret containing database credentials | `sso-pgsql` -`postgres.credentials.adminUsername` | name of admin database user | `postgres` -`postgres.credentials.passwordKey` | Secret key of admin password | `password-superuser` -`postgres.poolSize.min` | Minimum pool size | `5` -`postgres.poolSize.max` | Maximum pool size | `20` -`jgroupsCluster.secret` | Name of secret | `2` -`jgroupsCluster.passwordKey` | Secret key for password | `password` -`additionalServerOptions` | Additional command line options for server | `-Dkeycloak.profile.feature.authorization=enabled -Djboss.persistent.log.dir=/var/log/eap` -`tls.enabled` | Enable tls | `false` -`tls.httpsSecret` | Name of secret for tls cert | `sso-x509-https-secret` -`tls.jgroupsSecret` | Name of secret for jgroups | `sso-x509-jgroups-secret` -`persistentLog.enabled` | Enable persistent logs | `true` -`persistentLog.storageClassName` | Storage class name of volume | `netapp-file-standard` -`persistentLog.path` | Path to save logs | `/var/log/eap` -`resources.limits.memory` | memory limit for pods | `2Gi` -`resources.limits.cpu` | CPU limit for pods | `2` -`resources.requests.cpu` | cpu request for pods | `1250m` -`resources.requests.memory` | memory request for pods | `1Gi` -`nodeSelector` | node labels for pod assignment | `{}` -`tolerations` | toleration settings | `[]` -`affinity` | affinity settings | `{}` +| Parameter | Description | Default | +| ------------------------------------ | ---------------------------------------------- | ------------------------------------------------------------------------------------------ | +| `replicaCount` | Number of pods to create | `1` | +| `image.repository` | container image repository | `ghcr.io/bcgov/sso` | +| `image.tag` | container image tag | `dev` | +| `image.pullPolicy` | container image pull policy | `Always` | +| `nameOverride` | override for the chart name | `sso-keycloak` | +| `fullNameOverride` | override for the full chart name | `sso-keycloak` | +| `service.type` | type of service to create | `ClusterIP` | +| `service.port` | port of service | `8080` | +| `pingService.enabled` | enable DNS ping | `true` | +| `pingService.port` | exposed port of ping service | `8888` | +| `postgres.host` | host of postgres service | `sso-pgsql-master` | +| `postgres.dbName` | name of database | `rhsso` | +| `postgres.port` | exposed port of database | `5432` | +| `postgres.credentials.secret` | name of secret containing database credentials | `sso-pgsql` | +| `postgres.credentials.adminUsername` | name of admin database user | `postgres` | +| `postgres.credentials.passwordKey` | Secret key of admin password | `password-superuser` | +| `postgres.poolSize.min` | Minimum pool size | `5` | +| `postgres.poolSize.max` | Maximum pool size | `20` | +| `additionalServerOptions` | Additional command line options for server | `-Dkeycloak.profile.feature.authorization=enabled -Djboss.persistent.log.dir=/var/log/eap` | +| `tls.enabled` | Enable tls | `false` | +| `tls.httpsSecret` | Name of secret for tls cert | `sso-x509-https-secret` | +| `tls.jgroupsSecret` | Name of secret for jgroups | `sso-x509-jgroups-secret` | +| `persistentLog.enabled` | Enable persistent logs | `true` | +| `persistentLog.storageClassName` | Storage class name of volume | `netapp-file-standard` | +| `persistentLog.path` | Path to save logs | `/var/log/eap` | +| `resources.limits.memory` | memory limit for pods | `2Gi` | +| `resources.limits.cpu` | CPU limit for pods | `2` | +| `resources.requests.cpu` | cpu request for pods | `1250m` | +| `resources.requests.memory` | memory request for pods | `1Gi` | +| `nodeSelector` | node labels for pod assignment | `{}` | +| `tolerations` | toleration settings | `[]` | +| `affinity` | affinity settings | `{}` | + +### Notes + +- The helm chart installs two `Secret` k8s objects: + 1. `-admin-secret`: it stores the Keycloak admin password. + 1. `-jgroups`: it stores the Keycloak cluster jgroups password. diff --git a/helm/keycloak/templates/deployment.yaml b/helm/keycloak/templates/deployment.yaml index dbf9c466..9541c878 100644 --- a/helm/keycloak/templates/deployment.yaml +++ b/helm/keycloak/templates/deployment.yaml @@ -112,8 +112,8 @@ spec: - name: JGROUPS_CLUSTER_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.jgroupCluster.secret }} - key: {{ .Values.jgroupCluster.passwordKey }} + name: {{ include "..fullname" . }}-jgroups + key: cluster-password # Additional server startup options (extension of JAVA_OPTS) - name: JAVA_OPTS_APPEND value: {{ .Values.additionalServerOptions }} diff --git a/helm/keycloak/templates/pvc-logs.yaml b/helm/keycloak/templates/pvc-logs.yaml index 4ecb3960..7fa22dc3 100644 --- a/helm/keycloak/templates/pvc-logs.yaml +++ b/helm/keycloak/templates/pvc-logs.yaml @@ -1,4 +1,4 @@ -{{- if .Values.pingService.enabled }} +{{- if .Values.persistentLog.enabled }} apiVersion: v1 kind: PersistentVolumeClaim metadata: diff --git a/helm/keycloak/templates/secret.yaml b/helm/keycloak/templates/secret.yaml index f58ff777..bd0098a5 100644 --- a/helm/keycloak/templates/secret.yaml +++ b/helm/keycloak/templates/secret.yaml @@ -13,3 +13,19 @@ metadata: type: Opaque data: password-admin: {{ randAlphaNum 32 | b64enc | quote }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "..fullname" . }}-jgroups + labels: + app: {{ include "..fullname" . }} + chart: {{ include "..chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +type: Opaque +data: + cluster-password: {{ randAlphaNum 32 | b64enc | quote }} diff --git a/helm/keycloak/values-3d5c3f-dev.yaml b/helm/keycloak/values-3d5c3f-dev.yaml index 8ee1a6e5..0710e067 100644 --- a/helm/keycloak/values-3d5c3f-dev.yaml +++ b/helm/keycloak/values-3d5c3f-dev.yaml @@ -14,9 +14,6 @@ postgres: admin: secret: sso-admin-dev -jgroupCluster: - secret: sso-jgroups-dev - tls: enabled: true diff --git a/helm/keycloak/values-3d5c3f-prod.yaml b/helm/keycloak/values-3d5c3f-prod.yaml index 1bd1f0cc..bbe62e2c 100644 --- a/helm/keycloak/values-3d5c3f-prod.yaml +++ b/helm/keycloak/values-3d5c3f-prod.yaml @@ -14,9 +14,6 @@ postgres: admin: secret: sso-admin-prod -jgroupCluster: - secret: sso-jgroups-prod - tls: enabled: true diff --git a/helm/keycloak/values-3d5c3f-test.yaml b/helm/keycloak/values-3d5c3f-test.yaml index f3ff59c9..83ff0d9e 100644 --- a/helm/keycloak/values-3d5c3f-test.yaml +++ b/helm/keycloak/values-3d5c3f-test.yaml @@ -18,9 +18,6 @@ postgres: adminUsername: postgres passwordKey: password-superuser -jgroupCluster: - secret: sso-jgroups-test - tls: enabled: true diff --git a/helm/keycloak/values-6d70e7-dev.yaml b/helm/keycloak/values-6d70e7-dev.yaml index 12e87620..6d95b987 100644 --- a/helm/keycloak/values-6d70e7-dev.yaml +++ b/helm/keycloak/values-6d70e7-dev.yaml @@ -14,9 +14,6 @@ postgres: admin: secret: sso-admin-dev -jgroupCluster: - secret: sso-jgroups-dev - tls: enabled: true diff --git a/helm/keycloak/values-6d70e7-prod.yaml b/helm/keycloak/values-6d70e7-prod.yaml index e21276c5..5c8aebec 100644 --- a/helm/keycloak/values-6d70e7-prod.yaml +++ b/helm/keycloak/values-6d70e7-prod.yaml @@ -14,9 +14,6 @@ postgres: admin: secret: sso-admin-prod -jgroupCluster: - secret: sso-jgroups-prod - tls: enabled: true diff --git a/helm/keycloak/values-6d70e7-test.yaml b/helm/keycloak/values-6d70e7-test.yaml index a9d9b22b..11d8444a 100644 --- a/helm/keycloak/values-6d70e7-test.yaml +++ b/helm/keycloak/values-6d70e7-test.yaml @@ -14,9 +14,6 @@ postgres: admin: secret: sso-admin-test -jgroupCluster: - secret: sso-jgroups-test - tls: enabled: true diff --git a/helm/keycloak/values-b861c7-test.yaml b/helm/keycloak/values-b861c7-test.yaml new file mode 100644 index 00000000..f6434f90 --- /dev/null +++ b/helm/keycloak/values-b861c7-test.yaml @@ -0,0 +1,24 @@ +replicaCount: 2 + +image: + tag: 7.4-37-rc.2 + +service: + type: ClusterIP + port: 8443 + +postgres: + host: sso-patroni + credentials: + secret: sso-patroni + +tls: + enabled: true + +resources: + limits: + cpu: 2 + memory: 2Gi + requests: + cpu: 1250m + memory: 2Gi diff --git a/helm/keycloak/values.yaml b/helm/keycloak/values.yaml index b0cdfa20..ae87a4bd 100644 --- a/helm/keycloak/values.yaml +++ b/helm/keycloak/values.yaml @@ -32,10 +32,6 @@ postgres: min: 5 max: 20 -jgroupCluster: - secret: sso-jgroups - passwordKey: password - # see https://github.com/keycloak/keycloak-containers/blob/master/server/README.md#start-a-keycloak-instance-with-custom-command-line-options additionalServerOptions: "-Dkeycloak.profile.feature.authorization=enabled -Djboss.persistent.log.dir=/var/log/eap" diff --git a/helm/patroni/Chart.yaml b/helm/patroni/Chart.yaml index 4a464327..43e4ce96 100644 --- a/helm/patroni/Chart.yaml +++ b/helm/patroni/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: patroni description: "Highly available elephant herd: HA PostgreSQL cluster." -version: 0.16.7 +version: 0.16.8 appVersion: 1.5-p5 home: https://github.com/zalando/patroni sources: diff --git a/helm/patroni/README.md b/helm/patroni/README.md index 6dd87979..a0980c8b 100644 --- a/helm/patroni/README.md +++ b/helm/patroni/README.md @@ -13,25 +13,35 @@ This chart will do the following: - Implement a HA scalable PostgreSQL 10 cluster using a Kubernetes StatefulSet. -## Installing the Chart +## Usages -To add dependencies: +### Add this chart repository ```console -helm dependency build +$ helm repo add sso-keycloak https://bcgov.github.io/sso-keycloak +$ helm dependency update ``` -To install the chart with the release name `patroni`: +### Install this chart repository ```console -$ helm install patroni . -n +$ helm install sso-keycloak/patroni [--namespace ] [--version ] [--values ./custom-values.yaml] + +# To install the chart with randomly generated passwords: +$ helm install patroni . \ + --set credentials.superuser="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32)",credentials.admin="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32)",credentials.standby="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32)" ``` -To install the chart with randomly generated passwords: +### Upgrade this chart repository ```console -$ helm install patroni . \ - --set credentials.superuser="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32)",credentials.admin="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32)",credentials.standby="$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c32)" +$ helm upgrade sso-keycloak/patroni [--namespace ] [--version ] [--values ./custom-values.yaml] +``` + +### Uninstall this chart repository + +```console +$ helm uninstall [--namespace ] ``` ## Configuration @@ -46,6 +56,7 @@ The following table lists the configurable parameters of the patroni chart and t | `image.repository` | The image to pull | `registry.opensource.zalan.do/acid/spilo-10` | | `image.tag` | The version of the image to pull | `1.5-p5` | | `image.pullPolicy` | The pull policy | `IfNotPresent` | +| `credentials.random` | Using passwords created randomly | `true` | | `credentials.superuser` | Password of the superuser | `tea` | | `credentials.admin` | Password of the admin | `cola` | | `credentials.standby` | Password of the replication user | `pinacolada` | @@ -88,17 +99,9 @@ The following table lists the configurable parameters of the patroni chart and t Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. -Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, - -```console -$ helm install --name my-release -f values.yaml incubator/patroni -``` - -> **Tip**: You can use the default [values.yaml](values.yaml) - ## Cleanup -To remove the spawned pods you can run a simple `helm delete `. +To remove the spawned pods you can run a simple `helm uninstall [--namespace ]`. Helm will however preserve created persistent volume claims and configmaps, to also remove them execute the commands below. @@ -110,8 +113,6 @@ $ kubectl delete pvc -l release=$release $ kubectl delete configmaps -l release=$release ``` - - ## Internals Patroni is responsible for electing a PostgreSQL master pod by leveraging the diff --git a/helm/patroni/requirements.lock b/helm/patroni/requirements.lock index 45227977..08bc425f 100644 --- a/helm/patroni/requirements.lock +++ b/helm/patroni/requirements.lock @@ -8,5 +8,5 @@ dependencies: - name: consul repository: https://charts.helm.sh/stable version: 3.6.1 -digest: sha256:1d1ed086586703e7cdc528c6d44e5c03f68f3f4fddfc713e50898eff18dc5acf -generated: "2020-10-30T00:42:58.035153-04:00" +digest: sha256:f9ef1101460c219c9cef3c44b360d1c9d4b206f56eaa95fae98f95ca76a92781 +generated: "2021-12-15T11:37:39.9090521-08:00" diff --git a/helm/patroni/templates/ep-patroni.yaml b/helm/patroni/templates/ep-patroni.yaml deleted file mode 100644 index a218f53d..00000000 --- a/helm/patroni/templates/ep-patroni.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Endpoints -metadata: - name: {{ template "patroni.fullname" . }} - labels: - app: {{ template "patroni.fullname" . }} - chart: {{ template "patroni.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -subsets: [] diff --git a/helm/patroni/values-sso-patroni.yaml b/helm/patroni/values-sso-patroni.yaml new file mode 100644 index 00000000..ead1fbb8 --- /dev/null +++ b/helm/patroni/values-sso-patroni.yaml @@ -0,0 +1,26 @@ +replicaCount: 2 + +image: + repository: gcr.io/ggl-cas-storage/cas-postgres + pullPolicy: Always + tag: "0.2.1" + +nameOverride: sso-patroni +fullnameOverride: sso-patroni + +env: + ALLOW_NOSSL: "true" + +resources: {} +persistentVolume: + storageClass: netapp-block-standard + size: 10Gi +# As per https://patroni.readthedocs.io/en/latest/kubernetes.html#use-configmaps +# "in some cases, for instance, when running on OpenShift, there is no alternative to using ConfigMaps." +kubernetes: + dcs: + enable: true + configmaps: + enable: true +walE: + enable: false diff --git a/helm/patroni/values.yaml b/helm/patroni/values.yaml index 3278db16..3cd7d119 100644 --- a/helm/patroni/values.yaml +++ b/helm/patroni/values.yaml @@ -49,6 +49,10 @@ consul: # Extra custom environment variables. env: {} +# In order to turn off default SSL mode, set ALLOW_NOSSL `true` +# env: +# - ALLOW_NOSSL: 'true' + walE: # Specifies whether Wal-E should be enabled enable: false @@ -113,7 +117,6 @@ affinityTemplate: | app: {{ template "patroni.name" . }} release: {{ .Release.Name | quote }} affinity: {} - ## Use an alternate scheduler, e.g. "stork". ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ##