diff --git a/class/defaults.yml b/class/defaults.yml index 6c050ce..ecea811 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -54,6 +54,14 @@ parameters: - --keycloak-client-ignore-paths=/protocolMappers/0/id + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 10m + memory: 32Mi + templates: vars.jsonnet: | { diff --git a/component/lieutenant-keycloak-idp-controller.jsonnet b/component/lieutenant-keycloak-idp-controller.jsonnet index f1308ea..993673c 100644 --- a/component/lieutenant-keycloak-idp-controller.jsonnet +++ b/component/lieutenant-keycloak-idp-controller.jsonnet @@ -38,6 +38,7 @@ local controllerPatch = { name: 'manager', args: params.controller.args, env: com.envList(params.controller.env), + resources: params.controller.resources, volumeMounts: [ { name: 'templates', mountPath: '/templates', diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index 4f062e8..4c4e524 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -11,9 +11,134 @@ default:: `syn-lieutenant-keycloak-idp-controller` The namespace in which to deploy this component. -== Example +== `namespaceMetadata` +[horizontal] +type:: dict +default:: `{}` + +Metadata to be added to the namespace. + + +== `images` + +[horizontal] +type:: dictionary + +The images to use for this component. + + +== `manifests_version` + +[horizontal] +type:: string +default:: `${lieutenant_keycloak_idp_controller:images:lieutenant_keycloak_idp_controller:tag}` + +The Git reference to the controller deployment manifests. +The default is the tag of the controller image. + + +== `controller.env` + +[horizontal] +type:: dict +default:: ++ +[source,yaml] +---- +KEYCLOAK_BASE_URL: +KEYCLOAK_USER: +KEYCLOAK_PASSWORD: +KEYCLOAK_REALM: +KEYCLOAK_LOGIN_REALM: master +KEYCLOAK_LEGACY_WILDFLY_SUPPORT: 'true' +VAULT_ADDRESS: +---- ++ +example:: ++ +[source,yaml] +---- +KEYCLOAK_BASE_URL: https://id.example.net +KEYCLOAK_USER: svc_lieutenant-keycloak-idp-controller +KEYCLOAK_PASSWORD: + secretKeyRef: + name: keycloak-credentials + key: password +KEYCLOAK_REALM: myrealm +KEYCLOAK_LOGIN_REALM: master +KEYCLOAK_LEGACY_WILDFLY_SUPPORT: 'true' +VAULT_ADDRESS: https://vault.syn.example.net/ +---- + +The environment variables to set for the controller container. +String values are taken verbatim as the `value` fiels, dictionary values are rendered as `valueFrom` fields. + + +== `controller.args` + +[horizontal] +type:: list +default:: ++ +[source,yaml] +---- +- --health-probe-bind-address=:8081 +- --metrics-bind-address=127.0.0.1:8080 +- --leader-elect + +- --keycloak-realm=$(KEYCLOAK_REALM) +- --keycloak-base-url=$(KEYCLOAK_BASE_URL) +- --keycloak-user=$(KEYCLOAK_USER) +- --keycloak-password=$(KEYCLOAK_PASSWORD) +- --keycloak-login-realm=$(KEYCLOAK_LOGIN_REALM) +- --keycloak-legacy-wildfly-support=$(KEYCLOAK_LEGACY_WILDFLY_SUPPORT) + +- --client-template-file=/templates/client.jsonnet +- --client-role-mapping-template-file=/templates/client-roles.jsonnet + +- --vault-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token +- --vault-address=$(VAULT_ADDRESS) + +- --keycloak-client-ignore-paths=/protocolMappers/0/id +---- + +The arguments to pass to the controller container. + + +== `controller.resources` + +[horizontal] +type:: dict +default:: ++ [source,yaml] ---- -namespace: example-namespace +limits: + cpu: 100m + memory: 128Mi +requests: + cpu: 10m + memory: 32Mi ---- + +The resource limits and requests for the controller container. + + +== `templates` + +[horizontal] +type:: dict +default:: See https://github.com/projectsyn/component-lieutenant-keycloak-idp-controller/blob/master/class/defaults.yml[`defaults.yml`] + +The templates for the controller to use. +Templates can include each other using the `import` function. + +Default template creates a client with the following settings: +- full scope is disabled for security reasons +- access type is confidential +- standard flow is enabled +- direct access grants are enabled +- client role `restricted-access` is created for https://github.com/sventorben/keycloak-restrict-client-auth#role-based-mode +- client roles are mapped to the `roles` key of the JWT token +