From 42860fefa11b8d10ef35a02d96ca32d999120652 Mon Sep 17 00:00:00 2001 From: bastjan Date: Thu, 8 Jul 2021 10:44:34 +0000 Subject: [PATCH 01/10] Update from projectsyn/modulesync-control --- Makefile.vars.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.vars.mk b/Makefile.vars.mk index 718599a2..94efba20 100644 --- a/Makefile.vars.mk +++ b/Makefile.vars.mk @@ -19,7 +19,7 @@ JSONNETFMT_ARGS ?= --in-place --pad-arrays JSONNET_IMAGE ?= docker.io/bitnami/jsonnet:latest JSONNET_DOCKER ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=jsonnetfmt $(JSONNET_IMAGE) -YAML_FILES ?= $(shell find . -type f -not -path './vendor/*' \( -name '*.yaml' -or -name '*.yml' \)) +YAML_FILES ?= $(shell find . -type f -not -regex './\(helmcharts\|manifests\|vendor\)/.*' \( -name '*.yaml' -or -name '*.yml' \)) YAMLLINT_ARGS ?= --no-warnings YAMLLINT_CONFIG ?= .yamllint.yml YAMLLINT_IMAGE ?= docker.io/cytopia/yamllint:latest From bda1597bb4a587a28e0ecf71a9b884e802a78ec8 Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Thu, 5 Aug 2021 14:33:34 +0200 Subject: [PATCH 02/10] Update unit tests for latest Commodore version --- Makefile | 2 +- tests/builtin.yml | 3 +-- tests/builtin/secrets_test.go | 2 +- tests/external.yml | 2 -- tests/external/secrets_test.go | 2 +- 5 files changed, 4 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index d56fa98c..b90a1050 100644 --- a/Makefile +++ b/Makefile @@ -53,7 +53,7 @@ docs-serve: ## Preview the documentation $(COMMODORE_CMD) .PHONY: test -test: commodore_args = -f tests/$(instance).yml --search-paths ./dependencies +test: commodore_args = -f tests/$(instance).yml --search-paths ./dependencies --alias $(instance) test: .compile ## Compile the component .PHONY: clean diff --git a/tests/builtin.yml b/tests/builtin.yml index 8c261ff7..ed97d539 100644 --- a/tests/builtin.yml +++ b/tests/builtin.yml @@ -1,2 +1 @@ -parameters: - _instance: builtin +--- diff --git a/tests/builtin/secrets_test.go b/tests/builtin/secrets_test.go index 06bef8b6..84270925 100644 --- a/tests/builtin/secrets_test.go +++ b/tests/builtin/secrets_test.go @@ -11,7 +11,7 @@ import ( var ( expectedDbSecretName = "keycloak-postgresql" - testPath = "../../compiled/keycloak/builtin" + testPath = "../../compiled/builtin/builtin" ) func Test_Database_Secret_DefaultParameters(t *testing.T) { diff --git a/tests/external.yml b/tests/external.yml index c5249c81..aa03668a 100644 --- a/tests/external.yml +++ b/tests/external.yml @@ -1,6 +1,4 @@ parameters: - _instance: external - keycloak: database: provider: external diff --git a/tests/external/secrets_test.go b/tests/external/secrets_test.go index fbc1ef0c..cd9e99ba 100644 --- a/tests/external/secrets_test.go +++ b/tests/external/secrets_test.go @@ -11,7 +11,7 @@ import ( var ( expectedDbSecretName = "keycloak-postgresql" - testPath = "../../compiled/keycloak/external" + testPath = "../../compiled/external/external" ) func Test_Database_Secret_DefaultParameters(t *testing.T) { From 98f391c8a0d6487ebe2bc4ee170edb107f174cea Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Thu, 5 Aug 2021 14:34:29 +0200 Subject: [PATCH 03/10] Add test to check that the Postgres subchart isn't rendered in external DB mode --- .../postgresql_helmchart_not_rendered_test.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 tests/external/postgresql_helmchart_not_rendered_test.go diff --git a/tests/external/postgresql_helmchart_not_rendered_test.go b/tests/external/postgresql_helmchart_not_rendered_test.go new file mode 100644 index 00000000..52155c19 --- /dev/null +++ b/tests/external/postgresql_helmchart_not_rendered_test.go @@ -0,0 +1,12 @@ +package external + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +func Test_Postgresql_Helmchart_Not_Rendered(t *testing.T) { + subChartDir := testPath+"/01_keycloak_helmchart/keycloak/charts" + require.NoDirExists(t, subChartDir) +} From 5b9a3325ace8095c179f4573e5bd67c953b585b7 Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 4 Aug 2021 16:54:45 +0200 Subject: [PATCH 04/10] Patch apiVersion in postgresql helm chart To make it OCP4 compatible --- class/keycloak.yml | 7 ++++ postprocess/api_version.jsonnet | 42 ++++++++++++++++++++++ tests/builtin/statefulset_postgres_test.go | 2 +- tests/common/boilerplate.go | 8 ----- 4 files changed, 50 insertions(+), 9 deletions(-) create mode 100644 postprocess/api_version.jsonnet diff --git a/class/keycloak.yml b/class/keycloak.yml index 7d022e50..b5e1f932 100644 --- a/class/keycloak.yml +++ b/class/keycloak.yml @@ -24,3 +24,10 @@ parameters: release_name: ${keycloak:release_name} namespace: '${keycloak:namespace}' helm_values: ${keycloak:helm_values} + commodore: + postprocess: + filters: + - type: jsonnet + filter: postprocess/api_version.jsonnet + path: ${_instance}/01_keycloak_helmchart/keycloak/charts/postgresql/templates + enabled: "${keycloak:helm_values:postgresql:enabled}" diff --git a/postprocess/api_version.jsonnet b/postprocess/api_version.jsonnet new file mode 100644 index 00000000..70497e05 --- /dev/null +++ b/postprocess/api_version.jsonnet @@ -0,0 +1,42 @@ +/** + * Adjust StatefuleSet generated by helm template: + * * Fix the apiVersion + */ +local com = import 'lib/commodore.libjsonnet'; +local kap = import 'lib/kapitan.libjsonnet'; +local inv = kap.inventory(); +local params = inv.parameters.keycloak; + +local chart_output_dir = std.extVar('output_path'); + +local list_dir(dir, basename=true) = + std.native('list_dir')(dir, basename); + +local chart_files = list_dir(chart_output_dir); + +local input_file(elem) = chart_output_dir + '/' + elem; +local stem(elem) = + local elems = std.split(elem, '.'); + std.join('.', elems[:std.length(elems) - 1]); + + +local fix_api_version(sts) = + sts { + apiVersion: 'apps/v1', + }; + +local fixup_obj(obj) = + if obj.kind == 'StatefulSet' then + fix_api_version(obj) + else + obj; + +local fixup(obj_file) = + local objs = std.prune(com.yaml_load_all(obj_file)); + // process all objs + [ fixup_obj(obj) for obj in objs ]; + +{ + [stem(elem)]: fixup(input_file(elem)) + for elem in chart_files +} diff --git a/tests/builtin/statefulset_postgres_test.go b/tests/builtin/statefulset_postgres_test.go index 06010d1c..a3c5e86c 100644 --- a/tests/builtin/statefulset_postgres_test.go +++ b/tests/builtin/statefulset_postgres_test.go @@ -10,7 +10,7 @@ import ( ) func Test_Database_StatefulSet_Secrets(t *testing.T) { - subject := common.DecodeStatefulsetV1Beta2(t, testPath+"/01_keycloak_helmchart/keycloak/charts/postgresql/templates/statefulset.yaml") + subject := common.DecodeStatefulsetV1(t, testPath+"/01_keycloak_helmchart/keycloak/charts/postgresql/templates/statefulset.yaml") require.NotEmpty(t, subject.Spec.Template.Spec.Containers) require.NotEmpty(t, subject.Spec.Template.Spec.Containers[0].Env) diff --git a/tests/common/boilerplate.go b/tests/common/boilerplate.go index ad06c91f..22260f5d 100644 --- a/tests/common/boilerplate.go +++ b/tests/common/boilerplate.go @@ -9,20 +9,12 @@ import ( "github.com/stretchr/testify/require" appsv1 "k8s.io/api/apps/v1" - appsv1beta2 "k8s.io/api/apps/v1beta2" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/serializer" clientgoscheme "k8s.io/client-go/kubernetes/scheme" ) -func DecodeStatefulsetV1Beta2(t *testing.T, path string) *appsv1beta2.StatefulSet { - subject := &appsv1beta2.StatefulSet{} - scheme := NewSchemeWithDefault(t) - require.NoError(t, appsv1beta2.AddToScheme(scheme)) - return DecodeWithSchema(t, path, subject, scheme).(*appsv1beta2.StatefulSet) -} - func DecodeStatefulsetV1(t *testing.T, path string) *appsv1.StatefulSet { subject := &appsv1.StatefulSet{} scheme := NewSchemeWithDefault(t) From 9a85df42fbde0710a843e3fc0a88d053a83350cd Mon Sep 17 00:00:00 2001 From: Chris Date: Thu, 5 Aug 2021 16:43:15 +0200 Subject: [PATCH 05/10] Add guide how to install on OCP4 --- .../ROOT/pages/how-tos/openshift-4.adoc | 38 +++++++++++++++++++ docs/modules/ROOT/partials/nav.adoc | 1 + 2 files changed, 39 insertions(+) create mode 100644 docs/modules/ROOT/pages/how-tos/openshift-4.adoc diff --git a/docs/modules/ROOT/pages/how-tos/openshift-4.adoc b/docs/modules/ROOT/pages/how-tos/openshift-4.adoc new file mode 100644 index 00000000..502c1a10 --- /dev/null +++ b/docs/modules/ROOT/pages/how-tos/openshift-4.adoc @@ -0,0 +1,38 @@ += Installing on OpenShift 4 + +This guide describes how to install this component on OpenShift 4. + +== Parameters for Keycloak + +You need to disable some security context fields, as OpenShift sets those automatically. + +[source,yaml,subs="attributes+"] +---- +parameters: + keycloak: + helm_values: + podSecurityContext: null + securityContext: null + pgchecker: + securityContext: null +---- + +== Parameters for built-in Postgresql database + +If you are using the built-in database provider (by default unless `keycloak.database.provider` is overridden) you also need to adjust the following parameters. + +[source,yaml,subs="attributes+"] +---- +parameters: + keycloak: + helm_values: + postgresql: + securityContext: + enabled: false + volumePermissions: + securityContext: + runAsUser: auto + shmVolume: + chmod: + enabled: false +---- diff --git a/docs/modules/ROOT/partials/nav.adoc b/docs/modules/ROOT/partials/nav.adoc index 8c621d9f..bdb7db8d 100644 --- a/docs/modules/ROOT/partials/nav.adoc +++ b/docs/modules/ROOT/partials/nav.adoc @@ -14,6 +14,7 @@ * xref:how-tos/upgrade-1.x-to-2.x.adoc[Upgrade 1.x to 2.x] * xref:how-tos/upgrade-2.x-to-3.x.adoc[Upgrade 2.x to 3.x] * xref:how-tos/upgrade-3.x-to-4.x.adoc[Upgrade 3.x to 4.x] +* xref:how-tos/openshift-4.adoc[Install on OpenShift 4] * xref:how-tos/pin-versions.adoc[Pin versions] .Explanations From 3fefbb731bcaf125305f5314ed4a5c719a7356b6 Mon Sep 17 00:00:00 2001 From: Chris Date: Fri, 6 Aug 2021 10:14:33 +0200 Subject: [PATCH 06/10] Ignore diff in ServiceAccount for image pull secrets OpenShift adds image pull secrets but that won't sync in ArgoCD. --- component/app.jsonnet | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/component/app.jsonnet b/component/app.jsonnet index 173994a4..9fb243aa 100644 --- a/component/app.jsonnet +++ b/component/app.jsonnet @@ -4,7 +4,19 @@ local params = inv.parameters.keycloak; local argocd = import 'lib/argocd.libjsonnet'; local instance = inv.parameters._instance; -local app = argocd.App(instance, params.namespace); +local app = argocd.App(instance, params.namespace) { + spec+: { + ignoreDifferences+: [ + { + group: '', + kind: 'ServiceAccount', + jsonPointers: [ + '/imagePullSecrets', + ], + }, + ], + }, +}; { [instance]: app, From cb286c744356356f0f27524fe61f5f47f268f217 Mon Sep 17 00:00:00 2001 From: Chris Date: Fri, 6 Aug 2021 14:50:20 +0200 Subject: [PATCH 07/10] OCP4: Use edge termination --- docs/modules/ROOT/pages/how-tos/openshift-4.adoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/modules/ROOT/pages/how-tos/openshift-4.adoc b/docs/modules/ROOT/pages/how-tos/openshift-4.adoc index 502c1a10..c1049844 100644 --- a/docs/modules/ROOT/pages/how-tos/openshift-4.adoc +++ b/docs/modules/ROOT/pages/how-tos/openshift-4.adoc @@ -10,12 +10,15 @@ You need to disable some security context fields, as OpenShift sets those automa ---- parameters: keycloak: + ingress: + servicePort: http <1> helm_values: podSecurityContext: null securityContext: null pgchecker: securityContext: null ---- +<1> It's not possible to use the `reencrypt` termination if using Ingress with a self-signed destination certificate. == Parameters for built-in Postgresql database From b3e12f6337620ec21602d13f0f4328a37de3db61 Mon Sep 17 00:00:00 2001 From: Raphael Freudiger Date: Wed, 11 Aug 2021 13:03:32 +0200 Subject: [PATCH 08/10] Add synmonitoring label to namespace It is creating a ServiceMonitor. --- component/main.jsonnet | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/component/main.jsonnet b/component/main.jsonnet index 362c1cf3..276b0d88 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -7,7 +7,13 @@ local inv = kap.inventory(); // The hiera parameters for the component local params = inv.parameters.keycloak; -local namespace = kube.Namespace(params.namespace); +local namespace = kube.Namespace(params.namespace) { + metadata+: { + labels+: { + SYNMonitoring: 'main', + }, + }, +}; local admin_secret = kube.Secret(params.admin.secretname) { metadata+: { From 2d9c47189e23022954b89eb7f182d3b37b9abb1a Mon Sep 17 00:00:00 2001 From: Raphael Freudiger Date: Wed, 11 Aug 2021 13:00:58 +0200 Subject: [PATCH 09/10] add network policy that allows access from prometheus --- class/keycloak.yml | 4 ++ component/prometheus-netpol.jsonnet | 59 +++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 component/prometheus-netpol.jsonnet diff --git a/class/keycloak.yml b/class/keycloak.yml index b5e1f932..000ff6b3 100644 --- a/class/keycloak.yml +++ b/class/keycloak.yml @@ -15,6 +15,10 @@ parameters: - keycloak/component/main.jsonnet input_type: jsonnet output_path: ${_instance} + - input_paths: + - keycloak/component/prometheus-netpol.jsonnet + input_type: jsonnet + output_path: ${_instance} - output_path: ${_instance}/01_keycloak_helmchart input_type: helm output_type: yaml diff --git a/component/prometheus-netpol.jsonnet b/component/prometheus-netpol.jsonnet new file mode 100644 index 00000000..89e374e2 --- /dev/null +++ b/component/prometheus-netpol.jsonnet @@ -0,0 +1,59 @@ +local kap = import 'lib/kapitan.libjsonnet'; +local kube = import 'lib/kube.libjsonnet'; +local inv = kap.inventory(); +local params = inv.parameters.keycloak; + +local prometheus_namespace = + if std.objectHas(inv.parameters, 'rancher_monitoring') then + inv.parameters.rancher_monitoring.namespace + else + 'syn-synsights'; +local prometheus_name = 'prometheus'; + +local keycloak_namespace = params.namespace; +local keycloak_name = params.release_name; + +local name = prometheus_name + '-' + prometheus_namespace + '-to-' + keycloak_name; + +local netpol = + kube.NetworkPolicy(name) { + metadata+: { + namespace: keycloak_namespace, + }, + spec+: { + ingress: [ + { + from: [ + { + namespaceSelector: { + matchLabels: { + name: prometheus_namespace, + }, + }, + podSelector: { + matchLabels: { + app: prometheus_name, + }, + }, + }, + ], + ports: [ + { + port: 9990, + protocol: 'TCP', + }, + ], + }, + ], + podSelector: { + matchLabels: { + 'app.kubernetes.io/instance': keycloak_name, + 'app.kubernetes.io/name': keycloak_name, + }, + }, + }, + }; + +{ + '20_netpol': netpol, +} From 78d6971967d8c3506b54371dd51489d9a4e19506 Mon Sep 17 00:00:00 2001 From: Raphael Freudiger Date: Fri, 13 Aug 2021 11:01:49 +0200 Subject: [PATCH 10/10] netpol: install after everything else Co-authored-by: Chris --- component/prometheus-netpol.jsonnet | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/component/prometheus-netpol.jsonnet b/component/prometheus-netpol.jsonnet index 89e374e2..44c133dc 100644 --- a/component/prometheus-netpol.jsonnet +++ b/component/prometheus-netpol.jsonnet @@ -55,5 +55,5 @@ local netpol = }; { - '20_netpol': netpol, + '40_netpol': netpol, }