Merge branch 'master' into cert-manager.io-v1

projectsyn · Aug 26, 2021 · e5ecb54 · e5ecb54
2 parents 75bf000 + 2091bca
commit e5ecb54
Show file tree

Hide file tree

Showing 15 changed files with 191 additions and 18 deletions.
diff --git a/Makefile b/Makefile
@@ -53,7 +53,7 @@ docs-serve: ## Preview the documentation
 	$(COMMODORE_CMD)
 
 .PHONY: test
-test: commodore_args = -f tests/$(instance).yml --search-paths ./dependencies
+test: commodore_args = -f tests/$(instance).yml --search-paths ./dependencies --alias $(instance)
 test: .compile ## Compile the component
 
 .PHONY: clean

diff --git a/class/keycloak.yml b/class/keycloak.yml
@@ -15,6 +15,10 @@ parameters:
           - keycloak/component/main.jsonnet
         input_type: jsonnet
         output_path: ${_instance}
+      - input_paths:
+          - keycloak/component/prometheus-netpol.jsonnet
+        input_type: jsonnet
+        output_path: ${_instance}
       - output_path: ${_instance}/01_keycloak_helmchart
         input_type: helm
         output_type: yaml
@@ -24,3 +28,10 @@ parameters:
           release_name: ${keycloak:release_name}
           namespace: '${keycloak:namespace}'
         helm_values: ${keycloak:helm_values}
+  commodore:
+    postprocess:
+      filters:
+        - type: jsonnet
+          filter: postprocess/api_version.jsonnet
+          path: ${_instance}/01_keycloak_helmchart/keycloak/charts/postgresql/templates
+          enabled: "${keycloak:helm_values:postgresql:enabled}"
diff --git a/component/app.jsonnet b/component/app.jsonnet
@@ -4,7 +4,19 @@ local params = inv.parameters.keycloak;
 local argocd = import 'lib/argocd.libjsonnet';
 local instance = inv.parameters._instance;
 
-local app = argocd.App(instance, params.namespace);
+local app = argocd.App(instance, params.namespace) {
+  spec+: {
+    ignoreDifferences+: [
+      {
+        group: '',
+        kind: 'ServiceAccount',
+        jsonPointers: [
+          '/imagePullSecrets',
+        ],
+      },
+    ],
+  },
+};
 
 {
   [instance]: app,

diff --git a/component/main.jsonnet b/component/main.jsonnet
@@ -7,7 +7,13 @@ local inv = kap.inventory();
 // The hiera parameters for the component
 local params = inv.parameters.keycloak;
 
-local namespace = kube.Namespace(params.namespace);
+local namespace = kube.Namespace(params.namespace) {
+  metadata+: {
+    labels+: {
+      SYNMonitoring: 'main',
+    },
+  },
+};
 
 local admin_secret = kube.Secret(params.admin.secretname) {
   metadata+: {

diff --git a/component/prometheus-netpol.jsonnet b/component/prometheus-netpol.jsonnet
@@ -0,0 +1,59 @@
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+local inv = kap.inventory();
+local params = inv.parameters.keycloak;
+
+local prometheus_namespace =
+  if std.objectHas(inv.parameters, 'rancher_monitoring') then
+    inv.parameters.rancher_monitoring.namespace
+  else
+    'syn-synsights';
+local prometheus_name = 'prometheus';
+
+local keycloak_namespace = params.namespace;
+local keycloak_name = params.release_name;
+
+local name = prometheus_name + '-' + prometheus_namespace + '-to-' + keycloak_name;
+
+local netpol =
+  kube.NetworkPolicy(name) {
+    metadata+: {
+      namespace: keycloak_namespace,
+    },
+    spec+: {
+      ingress: [
+        {
+          from: [
+            {
+              namespaceSelector: {
+                matchLabels: {
+                  name: prometheus_namespace,
+                },
+              },
+              podSelector: {
+                matchLabels: {
+                  app: prometheus_name,
+                },
+              },
+            },
+          ],
+          ports: [
+            {
+              port: 9990,
+              protocol: 'TCP',
+            },
+          ],
+        },
+      ],
+      podSelector: {
+        matchLabels: {
+          'app.kubernetes.io/instance': keycloak_name,
+          'app.kubernetes.io/name': keycloak_name,
+        },
+      },
+    },
+  };
+
+{
+  '40_netpol': netpol,
+}
diff --git a/docs/modules/ROOT/pages/how-tos/openshift-4.adoc b/docs/modules/ROOT/pages/how-tos/openshift-4.adoc
@@ -0,0 +1,41 @@
+= Installing on OpenShift 4
+
+This guide describes how to install this component on OpenShift 4.
+
+== Parameters for Keycloak
+
+You need to disable some security context fields, as OpenShift sets those automatically.
+
+[source,yaml,subs="attributes+"]
+----
+parameters:
+  keycloak:
+    ingress:
+      servicePort: http <1>
+    helm_values:
+      podSecurityContext: null
+      securityContext: null
+      pgchecker:
+        securityContext: null
+----
+<1> It's not possible to use the `reencrypt` termination if using Ingress with a self-signed destination certificate.
+
+== Parameters for built-in Postgresql database
+
+If you are using the built-in database provider (by default unless `keycloak.database.provider` is overridden) you also need to adjust the following parameters.
+
+[source,yaml,subs="attributes+"]
+----
+parameters:
+  keycloak:
+    helm_values:
+      postgresql:
+        securityContext:
+          enabled: false
+        volumePermissions:
+          securityContext:
+            runAsUser: auto
+          shmVolume:
+            chmod:
+              enabled: false
+----
diff --git a/docs/modules/ROOT/partials/nav.adoc b/docs/modules/ROOT/partials/nav.adoc
@@ -15,6 +15,7 @@
 * xref:how-tos/upgrade-2.x-to-3.x.adoc[Upgrade 2.x to 3.x]
 * xref:how-tos/upgrade-3.x-to-4.x.adoc[Upgrade 3.x to 4.x]
 * xref:how-tos/upgrade-3.x-to-4.x.adoc[Upgrade 4.x to 5.x]
+* xref:how-tos/openshift-4.adoc[Install on OpenShift 4]
 * xref:how-tos/pin-versions.adoc[Pin versions]
 
 .Explanations

diff --git a/postprocess/api_version.jsonnet b/postprocess/api_version.jsonnet
@@ -0,0 +1,42 @@
+/**
+ * Adjust StatefuleSet generated by helm template:
+ * * Fix the apiVersion
+ */
+local com = import 'lib/commodore.libjsonnet';
+local kap = import 'lib/kapitan.libjsonnet';
+local inv = kap.inventory();
+local params = inv.parameters.keycloak;
+
+local chart_output_dir = std.extVar('output_path');
+
+local list_dir(dir, basename=true) =
+  std.native('list_dir')(dir, basename);
+
+local chart_files = list_dir(chart_output_dir);
+
+local input_file(elem) = chart_output_dir + '/' + elem;
+local stem(elem) =
+  local elems = std.split(elem, '.');
+  std.join('.', elems[:std.length(elems) - 1]);
+
+
+local fix_api_version(sts) =
+  sts {
+    apiVersion: 'apps/v1',
+  };
+
+local fixup_obj(obj) =
+  if obj.kind == 'StatefulSet' then
+    fix_api_version(obj)
+  else
+    obj;
+
+local fixup(obj_file) =
+  local objs = std.prune(com.yaml_load_all(obj_file));
+  // process all objs
+  [ fixup_obj(obj) for obj in objs ];
+
+{
+  [stem(elem)]: fixup(input_file(elem))
+  for elem in chart_files
+}
diff --git a/tests/builtin.yml b/tests/builtin.yml
@@ -1,2 +1 @@
-parameters:
-  _instance: builtin
+---
diff --git a/tests/builtin/secrets_test.go b/tests/builtin/secrets_test.go
@@ -11,7 +11,7 @@ import (
 
 var (
 	expectedDbSecretName = "keycloak-postgresql"
-	testPath             = "../../compiled/keycloak/builtin"
+	testPath             = "../../compiled/builtin/builtin"
 )
 
 func Test_Database_Secret_DefaultParameters(t *testing.T) {

diff --git a/tests/builtin/statefulset_postgres_test.go b/tests/builtin/statefulset_postgres_test.go
@@ -10,7 +10,7 @@ import (
 )
 
 func Test_Database_StatefulSet_Secrets(t *testing.T) {
-	subject := common.DecodeStatefulsetV1Beta2(t, testPath+"/01_keycloak_helmchart/keycloak/charts/postgresql/templates/statefulset.yaml")
+	subject := common.DecodeStatefulsetV1(t, testPath+"/01_keycloak_helmchart/keycloak/charts/postgresql/templates/statefulset.yaml")
 	require.NotEmpty(t, subject.Spec.Template.Spec.Containers)
 	require.NotEmpty(t, subject.Spec.Template.Spec.Containers[0].Env)
 

diff --git a/tests/common/boilerplate.go b/tests/common/boilerplate.go
@@ -9,20 +9,12 @@ import (
 
 	"github.com/stretchr/testify/require"
 	appsv1 "k8s.io/api/apps/v1"
-	appsv1beta2 "k8s.io/api/apps/v1beta2"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 )
 
-func DecodeStatefulsetV1Beta2(t *testing.T, path string) *appsv1beta2.StatefulSet {
-	subject := &appsv1beta2.StatefulSet{}
-	scheme := NewSchemeWithDefault(t)
-	require.NoError(t, appsv1beta2.AddToScheme(scheme))
-	return DecodeWithSchema(t, path, subject, scheme).(*appsv1beta2.StatefulSet)
-}
-
 func DecodeStatefulsetV1(t *testing.T, path string) *appsv1.StatefulSet {
 	subject := &appsv1.StatefulSet{}
 	scheme := NewSchemeWithDefault(t)

diff --git a/tests/external.yml b/tests/external.yml
@@ -1,6 +1,4 @@
 parameters:
-  _instance: external
-
   keycloak:
     database:
       provider: external

diff --git a/tests/external/postgresql_helmchart_not_rendered_test.go b/tests/external/postgresql_helmchart_not_rendered_test.go
@@ -0,0 +1,12 @@
+package external
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func Test_Postgresql_Helmchart_Not_Rendered(t *testing.T) {
+	subChartDir := testPath+"/01_keycloak_helmchart/keycloak/charts"
+	require.NoDirExists(t, subChartDir)
+}
diff --git a/tests/external/secrets_test.go b/tests/external/secrets_test.go
@@ -11,7 +11,7 @@ import (
 
 var (
 	expectedDbSecretName = "keycloak-postgresql"
-	testPath             = "../../compiled/keycloak/external"
+	testPath             = "../../compiled/external/external"
 )
 
 func Test_Database_Secret_DefaultParameters(t *testing.T) {