feat: update keycloak operator config

templates/_helpers.tpl

@@ -102,6 +102,18 @@
     {{ end }}
 {{- end -}}
 
+{{- define "app.oidc.client.secret.name" -}}
+    {{ template "app.fullname" $ }}-kc-client-config
+{{- end -}}
+
+{{- define "app.oidc.client.password" -}}
+    {{- if .Values.operator.keycloak.client.password -}}
+      {{- .Values.operator.keycloak.client.password -}}
+    {{- else -}}
+      {{ include "app.fullname" $ | replace "-" "_" }}
+    {{- end -}}
+{{- end -}}
+
 {{- define "app.labels.common" -}}
 version: {{ .Values.version | default .Values.image.tag | quote }}
 helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}

templates/deployment.yaml

@@ -108,6 +108,18 @@ spec:
                 name: {{ template "app.fullname" $ }}-db-config
                 key: password
           {{- end }}
+          {{- if .Values.operator.keycloak.client.enabled }}
+          - name: {{ .Values.template.oidc_client_id }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "app.oidc.client.secret.name" $ }}
+                key: clientId 
+          - name: {{ .Values.template.oidc_client_credential }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "app.oidc.client.secret.name" $ }}
+                key: secret
+          {{- end }}
           {{- $envVals := .Values.global.env -}}
           {{- if (.Values.env) }}
           {{- $envVals = merge .Values.env $envVals -}}

templates/operator-keycloak-client.yaml

@@ -1,4 +1,4 @@
-{{ if .Values.operator.keycloak_client.enabled }}
+{{ if .Values.operator.keycloak.client.enabled }}
 apiVersion: onecx.tkit.org/v1
 kind: KeycloakClient
 metadata:
@@ -7,26 +7,25 @@ metadata:
     app: {{ include "app.fullname" . }}
 {{ include "app.labels.common" $ | indent 4 }}    
 spec:
-  realm: {{ .Values.operator.keycloak_client.spec.realm }} 
-  type: {{ .Values.operator.keycloak_client.spec.type }} 
-  passwordSecrets: {{ .Values.operator.keycloak_client.spec.passwordSecrets }} 
-  passwordKey: {{ .Values.operator.keycloak_client.spec.passwordKey }} 
+  realm: {{ .Values.operator.keycloak.client.spec.realm }} 
+  type: {{ .Values.operator.keycloak.client.spec.type }} 
+  passwordSecrets: {{ .Values.operator.keycloak.client.spec.passwordSecrets | default (include "app.oidc.client.secret.name" .) }} 
+  passwordKey: {{ .Values.operator.keycloak.client.spec.passwordKey | default "secret" }} 
   kcConfig:
-    clientId: {{ .Values.operator.keycloak_client.spec.kcConfig.clientId | default (include "app.fullname" .) }}
-    description: {{ .Values.operator.keycloak_client.spec.kcConfig.description }}
-    enabled: {{ .Values.operator.keycloak_client.spec.kcConfig.enabled }}
-    clientAuthenticatorType: {{ .Values.operator.keycloak_client.spec.kcConfig.clientAuthenticatorType }}
-    password: {{ .Values.operator.keycloak_client.spec.kcConfig.password }}
-    redirectUris: {{ if .Values.operator.keycloak_client.spec.kcConfig.redirectUris }}{{ .Values.operator.keycloak_client.spec.kcConfig.redirectUris | toYaml | nindent 4 }}{{- end }}  
-    webOrigins: {{ if .Values.operator.keycloak_client.spec.kcConfig.webOrigins }}{{ .Values.operator.keycloak_client.spec.kcConfig.webOrigins | toYaml | nindent 4 }}{{- end }}  
-    bearerOnly: {{ .Values.operator.keycloak_client.spec.kcConfig.bearerOnly }}
-    standardFlowEnabled: {{ .Values.operator.keycloak_client.spec.kcConfig.standardFlowEnabled }}
-    implicitFlowEnabled: {{ .Values.operator.keycloak_client.spec.kcConfig.implicitFlowEnabled }}
-    directAccessGrantsEnabled: {{ .Values.operator.keycloak_client.spec.kcConfig.directAccessGrantsEnabled }}
-    serviceAccountsEnabled: {{ .Values.operator.keycloak_client.spec.kcConfig.serviceAccountsEnabled }}
-    publicClient: {{ .Values.operator.keycloak_client.spec.kcConfig.publicClient }}
-    protocol: {{ .Values.operator.keycloak_client.spec.kcConfig.protocol }}
-    defaultClientScopes: {{ if .Values.operator.keycloak_client.spec.kcConfig.defaultClientScopes }}{{ .Values.operator.keycloak_client.spec.kcConfig.defaultClientScopes | toYaml | nindent 4 }}{{- end }}  
-    optionalClientScopes: {{ if .Values.operator.keycloak_client.spec.kcConfig.optionalClientScopes }}{{ .Values.operator.keycloak_client.spec.kcConfig.optionalClientScopes | toYaml | nindent 4 }}{{- end }}  
-    attributes: {{ if .Values.operator.keycloak_client.spec.kcConfig.attributes }}{{ .Values.operator.keycloak_client.spec.kcConfig.attributes | toYaml | nindent 6 }}{{- end }}  
+    clientId: {{ .Values.operator.keycloak.client.spec.kcConfig.clientId | default (include "app.fullname" .) }}
+    description: {{ .Values.operator.keycloak.client.spec.kcConfig.description }}
+    enabled: {{ .Values.operator.keycloak.client.spec.kcConfig.enabled }}
+    clientAuthenticatorType: {{ .Values.operator.keycloak.client.spec.kcConfig.clientAuthenticatorType }}
+    redirectUris: {{ if .Values.operator.keycloak.client.spec.kcConfig.redirectUris }}{{ .Values.operator.keycloak.client.spec.kcConfig.redirectUris | toYaml | nindent 4 }}{{- end }}  
+    webOrigins: {{ if .Values.operator.keycloak.client.spec.kcConfig.webOrigins }}{{ .Values.operator.keycloak.client.spec.kcConfig.webOrigins | toYaml | nindent 4 }}{{- end }}  
+    bearerOnly: {{ .Values.operator.keycloak.client.spec.kcConfig.bearerOnly }}
+    standardFlowEnabled: {{ .Values.operator.keycloak.client.spec.kcConfig.standardFlowEnabled }}
+    implicitFlowEnabled: {{ .Values.operator.keycloak.client.spec.kcConfig.implicitFlowEnabled }}
+    directAccessGrantsEnabled: {{ .Values.operator.keycloak.client.spec.kcConfig.directAccessGrantsEnabled }}
+    serviceAccountsEnabled: {{ .Values.operator.keycloak.client.spec.kcConfig.serviceAccountsEnabled }}
+    publicClient: {{ .Values.operator.keycloak.client.spec.kcConfig.publicClient }}
+    protocol: {{ .Values.operator.keycloak.client.spec.kcConfig.protocol }}
+    defaultClientScopes: {{ if .Values.operator.keycloak.client.spec.kcConfig.defaultClientScopes }}{{ .Values.operator.keycloak.client.spec.kcConfig.defaultClientScopes | toYaml | nindent 4 }}{{- end }}  
+    optionalClientScopes: {{ if .Values.operator.keycloak.client.spec.kcConfig.optionalClientScopes }}{{ .Values.operator.keycloak.client.spec.kcConfig.optionalClientScopes | toYaml | nindent 4 }}{{- end }}  
+    attributes: {{ if .Values.operator.keycloak.client.spec.kcConfig.attributes }}{{ .Values.operator.keycloak.client.spec.kcConfig.attributes | toYaml | nindent 6 }}{{- end }}  
 {{- end }}

templates/secret-keycloak-client.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.operator.keycloak.client.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "app.oidc.client.secret.name" $ }}
+  labels:
+    app: {{ template "app.fullname" $ }}
+{{ include "app.labels.common" $ | indent 4 }}    
+type: Opaque
+stringData:
+  clientId: {{ .Values.operator.keycloak.client.spec.kcConfig.clientId | default (include "app.fullname" .) }}
+  secret: {{ include "app.oidc.client.password" $ }}
+{{- end }}

tests/oidc-client.yaml

@@ -0,0 +1,4 @@
+operator:
+  keycloak:
+    client:
+      enabled: true

values.yaml

@@ -55,6 +55,8 @@ template:
   db_property_url: "_PROD_QUARKUS_DATASOURCE_JDBC_URL"
   db_property_username: "_PROD_QUARKUS_DATASOURCE_USERNAME"
   db_property_password: "_PROD_QUARKUS_DATASOURCE_PASSWORD"
+  oidc_client_credential: "_PROD_QUARKUS_OIDC_CLIENT_CREDENTIALS_SECRET"
+  oidc_client_id: "_PROD_QUARKUS_OIDC_CLIENT_CLIENT_ID"
 
 # node selector for the pods
 nodeSelector:
@@ -189,19 +191,6 @@ operator:
       # schema
       schema: public
 
-  # Keycloak operator
-  keycloak:
-    # enabled or disable config for operator
-    enabled: false
-    # keycloak realm
-    realm: master
-    # path to the client JSON file
-    client:
-    # path to the roles JSON file
-    roles:
-    # path to the realms JSON file
-    realms:
-
   # microfrontend
   microfrontend:
     # enable or disable configuration for operator
@@ -238,56 +227,58 @@ operator:
       # default deployment name (release_name-name)
       appName:
 
-  # Keycloak client operator
-  keycloak_client:
-    # enabled or disable config for operator
-    enabled: false
-    # definition
-    spec:
-      # keycloak realm where the client has to be created
-      realm:
-      # type of client. Current possibilities [ ui | machine ]
-      type:
-      # Name of Secret where the password is stored (alternative is to set kcConfig.password)
-      passwordSecrets:
-      # Key used in secret where password is stored
-      passwordKey:
-      # Configuration for the keycloak client
-      kcConfig:
-        # default deployment name (release_name-name)
-        clientId:
-        # description for the client
-        description:
-        # flag to enable/disable client in keycloak
-        enabled:
-        # client authenticator type (client-secret)
-        clientAuthenticatorType:
-        # Password to be set for the client (for ui client it can be empty)
-        password:
-        # Redirect uris (used for the ui client). List of Strings
-        redirectUris: []
-        # Web origins (user for the ui client). List of Strings
-        webOrigins: []
-        # Bearer only flag
-        bearerOnly:
-        # Standard flow enabled flag
-        standardFlowEnabled:
-        # Implicit flow enabled flag
-        implicitFlowEnabled:
-        # Direct access grants enable flag
-        directAccessGrantsEnabled:
-        # Service accounts enabled flag
-        serviceAccountsEnabled:
-        # Public client flag
-        publicClient:
-        # Protocol (openid-connect)
-        protocol:
-        # List of string scopes to be added as default
-        defaultClientScopes: []
-        # List of string scopes to be added as optional
-        optionalClientScopes: []
-        # Map of custom attributes
-        attributes:
-          #key1: value1
-          #key2: value2
+  # Keycloak operator
+  keycloak:
+    # Keycloak client operator
+    client:
+      # enabled or disable config for operator
+      enabled: false
+      # Set password for secret of default name of app
+      password:
+      # definition
+      spec:
+        # keycloak realm where the client has to be created
+        realm:
+        # type of client. Current possibilities [ ui | machine ]
+        type: machine
+        # Name of Secret where the password is stored (alternative is to set kcConfig.password)
+        passwordSecrets:
+        # Key used in secret where password is stored
+        passwordKey:
+        # Configuration for the keycloak client
+        kcConfig:
+          # default deployment name (release_name-name)
+          clientId:
+          # description for the client
+          description:
+          # flag to enable/disable client in keycloak
+          enabled:
+          # client authenticator type (client-secret)
+          clientAuthenticatorType:
+          # Redirect uris (used for the ui client). List of Strings
+          redirectUris: []
+          # Web origins (user for the ui client). List of Strings
+          webOrigins: []
+          # Bearer only flag
+          bearerOnly:
+          # Standard flow enabled flag
+          standardFlowEnabled:
+          # Implicit flow enabled flag
+          implicitFlowEnabled:
+          # Direct access grants enable flag
+          directAccessGrantsEnabled:
+          # Service accounts enabled flag
+          serviceAccountsEnabled:
+          # Public client flag
+          publicClient:
+          # Protocol (openid-connect)
+          protocol:
+          # List of string scopes to be added as default
+          defaultClientScopes: []
+          # List of string scopes to be added as optional
+          optionalClientScopes: []
+          # Map of custom attributes
+          attributes:
+            #key1: value1
+            #key2: value2