Merge pull request #168 from projectsyn/fix-openshift-db-security

Fix using the built-in DB with OpenShift

.cruft.json

@@ -7,7 +7,7 @@
       "name": "keycloak",
       "slug": "keycloak",
       "parameter_key": "keycloak",
-      "test_cases": "builtin external openshift",
+      "test_cases": "builtin external openshift openshift-postgres",
       "add_lib": "n",
       "add_pp": "y",
       "add_golden": "y",

docs/modules/ROOT/pages/how-tos/openshift-4.adoc

@@ -30,7 +30,7 @@ parameters:
         securityContext: null
 ----
 
-== Parameters for built-in Postgresql database
+== Parameters for built-in Postgresql database on OpenShift 4.11 and higher
 
 If you are using the built-in database provider (by default unless `keycloak.database.provider` is overridden) you also need to adjust the following parameters.
 
@@ -39,14 +39,44 @@ If you are using the built-in database provider (by default unless `keycloak.dat
 parameters:
   keycloak:
     postgresql_helm_values:
-      securityContext:
+      primary:
+        podSecurityContext:
+          enabled: true
+          fsGroup: null
+          seccompProfile:
+            type: RuntimeDefault
+        containerSecurityContext:
+          enabled: true
+          runAsUser: null
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop:
+              - ALL
+      volumePermissions:
         enabled: false
-      containerSecurityContext:
+      shmVolume:
         enabled: false
+----
+
+== Parameters for built-in Postgresql database up to OpenShift 4.10
+
+If you are using the built-in database provider (by default unless `keycloak.database.provider` is overridden) you also need to adjust the following parameters.
+
+[source,yaml,subs="attributes+"]
+----
+parameters:
+  keycloak:
+    postgresql_helm_values:
+      primary:
+        podSecurityContext:
+          enabled: false
+        containerSecurityContext:
+          enabled: false
       volumePermissions:
-        securityContext:
-          runAsUser: auto
+        enabled: false
       shmVolume:
-        chmod:
-          enabled: false
+        enabled: false
 ----

docs/modules/ROOT/pages/how-tos/upgrade-9.x-to-10.x.adoc

@@ -7,6 +7,10 @@ This guide describes the steps to perform an upgrade of the component from versi
 * `charts.keycloakx` changed from `1.3.2` to `1.6.0`, the Keycloak image is updated from `17.0.2` to `18.0.2`.
 * `charts.postgresql` changed from `10.16.2` to `11.6.15`, the Postgresql version remains the same version `11.14.0-debian-10-r28`.
 * `postgresql_helm_values` authentication parameters have been moved to `postgresql_helm_values.auth` reflecting the https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/#to-1100[Helm chart upgrade] to 11.
+* `postgresql_helm_values.securityContext.enabled` changed to `postgresql_helm_values.primary.securityContext.enabled`.
+* `postgresql_helm_values.containerSecurityContext.enabled` changed to `postgresql_helm_values.primary.containerSecurityContext.enabled`.
+* `postgresql_helm_values.volumePermissions.securityContext.runAsUser` has no direct equivalent and therefore the volume permissions setup has to be disabled entirely by setting `postgresql_helm_values.volumePermissions.enabled` to `false`.
+* `postgresql_helm_values.shmVolume.chmod.enabled` has no direct equivalent and therefore the shared volume setup has to be disabled entirely by setting `postgresql_helm_values.shmVolume.enabled` to `false`.
 
 If you've configured custom values for any of those parameters, make sure to adjust your configurations when upgrading from component version v9 to v10.
 

tests/golden/openshift-postgres/openshift-postgres/apps/openshift-postgres.yaml

@@ -0,0 +1,6 @@
+spec:
+  ignoreDifferences:
+    - group: ''
+      jsonPointers:
+        - /imagePullSecrets
+      kind: ServiceAccount

tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/00_namespace.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations: {}
+  labels:
+    SYNMonitoring: main
+    name: syn-openshift-postgres
+  name: syn-openshift-postgres

tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/ingress.yaml

@@ -0,0 +1,32 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    route.openshift.io/termination: reencrypt
+  labels:
+    app.kubernetes.io/component: keycloak
+    app.kubernetes.io/instance: openshift-postgres
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: keycloak
+    app.kubernetes.io/version: 18.0.2
+    helm.sh/chart: keycloakx-1.6.0
+  name: keycloakx
+  namespace: syn-openshift-postgres
+spec:
+  rules:
+    - host: keycloak.example.com
+      http:
+        paths:
+          - backend:
+              service:
+                name: keycloakx-http
+                port:
+                  name: https
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - keycloak.example.com
+      secretName: ingress-tls

tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/prometheusrule.yaml

@@ -0,0 +1,16 @@
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  labels:
+    app.kubernetes.io/component: keycloak
+    app.kubernetes.io/instance: openshift-postgres
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: keycloak
+    app.kubernetes.io/version: 18.0.2
+    helm.sh/chart: keycloakx-1.6.0
+  name: keycloakx
+  namespace: syn-openshift-postgres
+spec:
+  groups:
+    - name: keycloakx
+      rules: []

tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/service-headless.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: headless
+    app.kubernetes.io/instance: keycloakx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: keycloakx
+    app.kubernetes.io/version: 18.0.2
+    helm.sh/chart: keycloakx-1.6.0
+  name: keycloakx-headless
+  namespace: syn-openshift-postgres
+spec:
+  clusterIP: None
+  ports:
+    - name: http
+      port: 8080
+      protocol: TCP
+      targetPort: http
+  selector:
+    app.kubernetes.io/instance: keycloakx
+    app.kubernetes.io/name: keycloakx
+  type: ClusterIP

tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/service-http.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: http
+    app.kubernetes.io/instance: openshift-postgres
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: keycloak
+    app.kubernetes.io/version: 18.0.2
+    helm.sh/chart: keycloakx-1.6.0
+  name: keycloakx-http
+  namespace: syn-openshift-postgres
+spec:
+  ports:
+    - name: http
+      port: 8080
+      protocol: TCP
+      targetPort: http
+    - name: https
+      port: 8443
+      protocol: TCP
+      targetPort: https
+  selector:
+    app.kubernetes.io/instance: keycloakx
+    app.kubernetes.io/name: keycloakx
+  type: ClusterIP

tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/serviceaccount.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+automountServiceAccountToken: true
+imagePullSecrets: []
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: keycloak
+    app.kubernetes.io/instance: openshift-postgres
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: keycloak
+    app.kubernetes.io/version: 18.0.2
+    helm.sh/chart: keycloakx-1.6.0
+  name: keycloakx
+  namespace: syn-openshift-postgres

tests/golden/openshift-postgres/openshift-postgres/openshift-postgres/01_keycloak_helmchart/keycloakx/templates/servicemonitor.yaml

@@ -0,0 +1,23 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app.kubernetes.io/component: keycloak
+    app.kubernetes.io/instance: openshift-postgres
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: keycloak
+    app.kubernetes.io/version: 18.0.2
+    helm.sh/chart: keycloakx-1.6.0
+  name: keycloakx-keycloakx
+  namespace: syn-openshift-postgres
+spec:
+  endpoints:
+    - interval: 10s
+      path: /auth/metrics
+      port: http
+      scrapeTimeout: 10s
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: http
+      app.kubernetes.io/instance: keycloakx
+      app.kubernetes.io/name: keycloakx