Initial implementation

.yamllint.yml

@@ -22,3 +22,4 @@ ignore: |
   manifests/
   vendor/
   compiled/
+  tests/golden/

class/defaults.yml

@@ -1,4 +1,125 @@
 parameters:
   lieutenant_keycloak_idp_controller:
     =_metadata: {}
-    namespace: syn-lieutenant-keycloak-idp-controller
+    namespace: projectsyn-lieutenant-keycloak-idp-controller
+    namespaceMetadata: {}
+
+    secrets: {}
+    config_maps:
+      lieutenant-keycloak-idp-controller-templates:
+        data: ${lieutenant_keycloak_idp_controller:templates}
+
+    images:
+      lieutenant_keycloak_idp_controller:
+        registry: ghcr.io
+        image: projectsyn/lieutenant-keycloak-idp-controller
+        tag: v0.1.0-dev1
+      kube_rbac_proxy:
+        registry: gcr.io
+        image: kubebuilder/kube-rbac-proxy
+        tag: v0.14.1
+
+    manifests_version: ${lieutenant_keycloak_idp_controller:images:lieutenant_keycloak_idp_controller:tag}
+
+    kustomize_input:
+      namespace: ${lieutenant_keycloak_idp_controller:namespace}
+
+    controller:
+      env:
+        KEYCLOAK_BASE_URL:
+        KEYCLOAK_USER:
+        KEYCLOAK_PASSWORD:
+        KEYCLOAK_REALM:
+        KEYCLOAK_LOGIN_REALM: admin
+        KEYCLOAK_LEGACY_WILDFLY_SUPPORT: 'true'
+        VAULT_ADDRESS:
+
+      args:
+        - --health-probe-bind-address=:8081
+        - --metrics-bind-address=127.0.0.1:8080
+        - --leader-elect
+
+        - --keycloak-realm=$(KEYCLOAK_REALM)
+        - --keycloak-base-url=$(KEYCLOAK_BASE_URL)
+        - --keycloak-user=$(KEYCLOAK_USER)
+        - --keycloak-password=$(KEYCLOAK_PASSWORD)
+        - --keycloak-login-realm=$(KEYCLOAK_LOGIN_REALM)
+        - --keycloak-legacy-wildfly-support=$(KEYCLOAK_LEGACY_WILDFLY_SUPPORT)
+
+        - --client-template-file=/templates/client.jsonnet
+        - --client-role-mapping-template-file=/templates/client-roles.jsonnet
+
+        - --vault-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token
+        - --vault-address=$(VAULT_ADDRESS)
+
+    templates:
+      vars.jsonnet: |
+        {
+          clientPrefix: 'cluster_',
+          formatRootUrl: function(context) 'https://oauth-openshift.apps.%s.dev' % context.cluster.metadata.name,
+        }
+      client.jsonnet: |
+        local context = std.extVar('context');
+        local vars = import 'vars.jsonnet';
+
+        {
+          clientId: '%s%s' % [ vars.clientPrefix, context.cluster.metadata.name ],
+          name: '%s (%s)' % [ context.cluster.spec.displayName, context.cluster.metadata.name ],
+          description: '',
+          rootUrl: vars.formatRootUrl(context),
+          adminUrl: '',
+          baseUrl: '',
+          surrogateAuthRequired: false,
+          enabled: true,
+          alwaysDisplayInConsole: false,
+          clientAuthenticatorType: 'client-secret',
+          redirectUris: [
+            '/oauth2/callback',
+          ],
+          webOrigins: [],
+          notBefore: 0,
+          bearerOnly: false,
+          consentRequired: false,
+          standardFlowEnabled: true,
+          implicitFlowEnabled: false,
+          directAccessGrantsEnabled: true,
+          serviceAccountsEnabled: false,
+          publicClient: false,
+          frontchannelLogout: true,
+          protocol: 'openid-connect',
+          attributes: {
+            'oidc.ciba.grant.enabled': 'false',
+            'backchannel.logout.session.required': 'true',
+            'oauth2.device.authorization.grant.enabled': 'false',
+            'display.on.consent.screen': 'false',
+            'backchannel.logout.revoke.offline.tokens': 'false',
+          },
+          authenticationFlowBindingOverrides: {},
+          fullScopeAllowed: true,
+          nodeReRegistrationTimeout: -1,
+          defaultClientScopes: [
+            'web-origins',
+            'acr',
+            'profile',
+            'roles',
+            'email',
+          ],
+          optionalClientScopes: [
+            'address',
+            'phone',
+            'offline_access',
+            'microprofile-jwt',
+          ],
+          access: {
+            view: true,
+            configure: true,
+            manage: true,
+          },
+        }
+      client-roles.jsonnet: |
+        local context = std.extVar('context');
+
+        [{
+          // https://github.com/sventorben/keycloak-restrict-client-auth#role-based-mode
+          role: 'restricted-access',
+        }]

class/lieutenant-keycloak-idp-controller.yml

@@ -9,3 +9,23 @@ parameters:
           - ${_base_directory}/component/main.jsonnet
         input_type: jsonnet
         output_path: lieutenant-keycloak-idp-controller/
+
+      - input_paths:
+          - ${_base_directory}/component/lieutenant-keycloak-idp-controller.jsonnet
+        input_type: jsonnet
+        output_path: ${_base_directory}/lieutenant-keycloak-idp-controller
+        output_type: yaml
+      - input_type: external
+        output_path: .
+        input_paths:
+          - ${_kustomize_wrapper}
+        env_vars:
+          INPUT_DIR: ${_base_directory}/lieutenant-keycloak-idp-controller
+        args:
+          - \${compiled_target_dir}/lieutenant-keycloak-idp-controller
+
+      # Cleanup
+      - input_paths:
+          - ${_base_directory}/lieutenant-keycloak-idp-controller
+        input_type: remove
+        output_path: .

component/lieutenant-keycloak-idp-controller.jsonnet

@@ -0,0 +1,82 @@
+// main template for openshift4-slos
+local com = import 'lib/commodore.libjsonnet';
+local kap = import 'lib/kapitan.libjsonnet';
+local kube = import 'lib/kube.libjsonnet';
+
+local slo = import 'slos.libsonnet';
+
+local inv = kap.inventory();
+// The hiera parameters for the component
+local params = inv.parameters.lieutenant_keycloak_idp_controller;
+
+local upstreamNamespace = 'lieutenant-keycloak-idp-controller-system';
+
+local removeUpstreamNamespace = kube.Namespace(upstreamNamespace) {
+  metadata: {
+    name: upstreamNamespace,
+  } + com.makeMergeable(params.namespaceMetadata),
+};
+
+local controllerPatch = {
+  apiVersion: 'apps/v1',
+  kind: 'Deployment',
+  metadata: {
+    name: 'lieutenant-keycloak-idp-controller-controller-manager',
+    namespace: upstreamNamespace,
+  },
+  spec: {
+    template: {
+      spec: {
+        containers: [ {
+          name: 'manager',
+          args: params.controller.args,
+          env: com.envList(params.controller.env),
+          volumeMounts: [ {
+            name: 'templates',
+            mountPath: '/templates',
+          } ],
+        } ],
+        volumes: [ {
+          name: 'templates',
+          configMap: {
+            name: 'lieutenant-keycloak-idp-controller-templates',
+          },
+        } ],
+      },
+    },
+  },
+};
+
+local patch = function(p) {
+  patch: std.manifestJsonMinified(p),
+};
+
+com.Kustomization(
+  'https://github.com/projectsyn/lieutenant-keycloak-idp-controller//config/default',
+  params.manifests_version,
+  {
+    'ghcr.io/projectsyn/lieutenant-keycloak-idp-controller': {
+      local image = params.images.lieutenant_keycloak_idp_controller,
+      newTag: image.tag,
+      newName: '%(registry)s/%(image)s' % image,
+    },
+    'gcr.io/kubebuilder/kube-rbac-proxy': {
+      local image = params.images.kube_rbac_proxy,
+      newTag: image.tag,
+      newName: '%(registry)s/%(image)s' % image,
+    },
+  },
+  params.kustomize_input {
+    patches+: [
+      patch(removeUpstreamNamespace),
+      patch(controllerPatch),
+    ],
+    labels+: [
+      {
+        pairs: {
+          'app.kubernetes.io/managed-by': 'commodore',
+        },
+      },
+    ],
+  },
+)

component/main.jsonnet

@@ -1,10 +1,16 @@
-// main template for lieutenant-keycloak-idp-controller
+// main template for lieutenant-keycloak-idp-controller\
+local com = import 'lib/commodore.libjsonnet';
 local kap = import 'lib/kapitan.libjsonnet';
 local kube = import 'lib/kube.libjsonnet';
 local inv = kap.inventory();
 // The hiera parameters for the component
 local params = inv.parameters.lieutenant_keycloak_idp_controller;
 
+local secrets = com.generateResources(params.secrets, kube.Secret);
+local configMaps = com.generateResources(params.config_maps, kube.ConfigMap);
+
 // Define outputs below
 {
+  '10_secrets': secrets,
+  '10_config_maps': configMaps,
 }

tests/defaults.yml

@@ -1,3 +1,8 @@
 # Overwrite parameters here
 
-# parameters: {...}
+parameters:
+  secrets:
+    keycloak-user:
+      stringData:
+        username: user
+        password: password

tests/golden/defaults/lieutenant-keycloak-idp-controller/lieutenant-keycloak-idp-controller/10_config_maps.yaml

@@ -0,0 +1,78 @@
+apiVersion: v1
+data:
+  client-roles.jsonnet: |
+    local context = std.extVar('context');
+
+    [{
+      // https://github.com/sventorben/keycloak-restrict-client-auth#role-based-mode
+      role: 'restricted-access',
+    }]
+  client.jsonnet: |
+    local context = std.extVar('context');
+    local vars = import 'vars.jsonnet';
+
+    {
+      clientId: '%s%s' % [ vars.clientPrefix, context.cluster.metadata.name ],
+      name: '%s (%s)' % [ context.cluster.spec.displayName, context.cluster.metadata.name ],
+      description: '',
+      rootUrl: vars.formatRootUrl(context),
+      adminUrl: '',
+      baseUrl: '',
+      surrogateAuthRequired: false,
+      enabled: true,
+      alwaysDisplayInConsole: false,
+      clientAuthenticatorType: 'client-secret',
+      redirectUris: [
+        '/oauth2/callback',
+      ],
+      webOrigins: [],
+      notBefore: 0,
+      bearerOnly: false,
+      consentRequired: false,
+      standardFlowEnabled: true,
+      implicitFlowEnabled: false,
+      directAccessGrantsEnabled: true,
+      serviceAccountsEnabled: false,
+      publicClient: false,
+      frontchannelLogout: true,
+      protocol: 'openid-connect',
+      attributes: {
+        'oidc.ciba.grant.enabled': 'false',
+        'backchannel.logout.session.required': 'true',
+        'oauth2.device.authorization.grant.enabled': 'false',
+        'display.on.consent.screen': 'false',
+        'backchannel.logout.revoke.offline.tokens': 'false',
+      },
+      authenticationFlowBindingOverrides: {},
+      fullScopeAllowed: true,
+      nodeReRegistrationTimeout: -1,
+      defaultClientScopes: [
+        'web-origins',
+        'acr',
+        'profile',
+        'roles',
+        'email',
+      ],
+      optionalClientScopes: [
+        'address',
+        'phone',
+        'offline_access',
+        'microprofile-jwt',
+      ],
+      access: {
+        view: true,
+        configure: true,
+        manage: true,
+      },
+    }
+  vars.jsonnet: |
+    {
+      clientPrefix: 'cluster_',
+      formatRootUrl: function(context) 'https://oauth-openshift.apps.%s.dev' % context.cluster.metadata.name,
+    }
+kind: ConfigMap
+metadata:
+  annotations: {}
+  labels:
+    name: lieutenant-keycloak-idp-controller-templates
+  name: lieutenant-keycloak-idp-controller-templates