fix: decouple devMode and postgres egress (#554)

## Description Updates the internal `keycloak` helm chart to be more explicit about using an external postgres database connection. Notable changes are: - Configures egress rule and `keycloak` env vars for postgres based on `postgresql` being populated - Defaults `postgresql.username`, `postgresql.password`, `postgresql.database`, and `postgresql.host` to an empty string - Adds option to enable debug logging via `debugMode: true` - Adds a `fail` case when `devMode` is true and `postgresql` has values defined - Adds fail cases when users do not supply required values for `postgresql` when `devMode` is `false` ## Related Issue Fixes #489 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --------- Co-authored-by: Micah Nagel <[email protected]>
defenseunicorns · Jul 12, 2024 · 1a98779 · 1a98779
1 parent e84229a
commit 1a98779
Show file tree

Hide file tree

Showing 8 changed files with 51 additions and 20 deletions.
diff --git a/src/keycloak/chart/README.md b/src/keycloak/chart/README.md
@@ -10,7 +10,11 @@ For more information on Keycloak and its capabilities, see its [documentation](h
 
 ### Dev Mode
 
-When `devMode: true` is set, the chart will deploy a single Keycloak Pod with an in-memory database and scaling turned off. Devmode also leverages PVCs by default for `data` and `themes`.
+When `devMode: true` is set, the chart will deploy a single Keycloak Pod with an in-memory database and scaling turned off. Dev Mode also leverages PVCs by default for `data` and `themes`. 
+
+Using an external database with Dev Mode enabled is not supported.
+
+Dev Mode enables debug logging for Keycloak. To configure debug logging outside of Dev Mode, set `debugMode: true` in your values.
 
 ### Autoscaling
 

diff --git a/src/keycloak/chart/templates/_helpers.tpl b/src/keycloak/chart/templates/_helpers.tpl
@@ -74,3 +74,24 @@ Create the service DNS name.
 {{- define "keycloak.serviceDnsName" -}}
 {{ include "keycloak.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
 {{- end }}
+
+{{/*
+Check external PostgreSQL connection information. Fails when required values are missing or if PostgreSQL is configured when devMode is enabled.
+*/}}
+
+{{- define "keycloak.postgresql.config" -}}
+{{- if not .Values.devMode -}}
+{{- if .Values.postgresql -}}
+{{ $requiredKeys := list "username" "password" "database" "host" "port" }}
+{{- range $k := $requiredKeys -}}
+{{ if empty (get $.Values.postgresql $k) }}{{- fail (printf "Missing value for \"postgresql.%s\"." $k ) -}}{{- end }}
+{{- end }}
+{{- else -}}{{fail "You must define \"username\", \"password\", \"database\", \"host\", and \"port\" for \"postgresql\"."}}
+{{- end -}}
+{{- default "true" "" }}
+{{- else if not (empty (compact (values (omit .Values.postgresql "port")))) -}}
+{{ fail "Cannot use an external PostgreSQL Database when devMode is enabled." -}}
+{{- else -}}
+{{ default "false" "" }}
+{{- end }}
+{{- end }}
diff --git a/src/keycloak/chart/templates/secret-postgresql.yaml b/src/keycloak/chart/templates/secret-postgresql.yaml
@@ -1,4 +1,4 @@
-{{- if not .Values.devMode }}
+{{- if eq (include "keycloak.postgresql.config" .) "true" }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -13,4 +13,4 @@ data:
   password: {{ .Values.postgresql.password | b64enc }}
   host: {{ .Values.postgresql.host | b64enc }}
   port: {{ .Values.postgresql.port | toString | b64enc }}
-{{- end }}
+{{- end }}
diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml
@@ -113,15 +113,16 @@ spec:
             # Dumb value (not used in the nginx provider, but required by the SPI)
             - name: KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT_CHAIN_PREFIX
               value: UNUSED
-          {{- if .Values.devMode }}
-            # Enable dubug logs in dev mode
+          {{- if or .Values.devMode .Values.debugMode }}
+            # Enable debug logs
             - name: KC_LOG_LEVEL
               value: DEBUG
             - name: QUARKUS_LOG_CATEGORY__ORG_APACHE_HTTP__LEVEL
               value: DEBUG
             - name: QUARKUS_LOG_CATEGORY__ORG_KEYCLOAK_SERVICES_X509__LEVEL
               value: TRACE
-          {{- else }}
+          {{- end }}
+          {{- if eq (include "keycloak.postgresql.config" .) "true" }}
             # Infinispan cache configuration
             - name: KC_CACHE
               value: ispn
@@ -168,7 +169,7 @@ spec:
             - name: JAVA_TOOL_OPTIONS
               value: "-Dcom.redhat.fips=true"
             {{- end }}
-          {{- end }}
+           {{- end }}  
           {{- if .Values.insecureAdminPasswordGeneration.enabled }}
             - name: KEYCLOAK_ADMIN
               valueFrom:

diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml
@@ -52,8 +52,8 @@ spec:
         remoteGenerated: Anywhere
       {{- end }}
 
-      {{- if not .Values.devMode }}
-      - description: "PostgresQL Database access"
+      {{- if eq (include "keycloak.postgresql.config" .) "true" }}
+      - description: "PostgreSQL Database access"
         direction: Egress
         selector:
           app.kubernetes.io/name: keycloak

diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml
@@ -55,8 +55,12 @@ terminationGracePeriodSeconds: 5
 clusterDomain: cluster.local
 
 # Sets development mode for Keycloak. This disables caching, Postgres and HPAs and should only be used for testing
+# Must have no values populated for `postgresql` in order to use
 devMode: true
 
+# Enable debug logging for keycloak and quarkus
+debugMode: false
+
 # Enable SMTP networkPolicy and config
 smtp:
   enabled: false
@@ -149,16 +153,17 @@ service:
   # Session affinity config
   sessionAffinityConfig: {}
 
+# Connection information for external postgres database
 postgresql:
-  # PostgreSQL User to create
-  username: keycloak
-  # PostgreSQL Password for the new user
-  password: keycloak
-  # PostgreSQL Database to create
-  database: keycloak
-  # PostgreSQL host
-  host: postgresql
-  # PostgreSQL port
+  # The username of the database user
+  username: ""
+  # The password of the database user
+  password: ""
+  # Database name
+  database: ""
+  # URL for the database
+  host: ""
+  # Port the database is listening on
   port: 5432
 
 serviceMonitor:

diff --git a/src/promtail/tasks.yaml b/src/promtail/tasks.yaml
@@ -1,7 +1,7 @@
 tasks:
   - name: validate
     actions:
-      - description: Validate promail
+      - description: Validate promtail
         wait:
           cluster:
             kind: Pod

diff --git a/src/velero/tasks.yaml b/src/velero/tasks.yaml
@@ -54,7 +54,7 @@ tasks:
             echo "Status is '$STATUS'... waiting to see if it changes"
 
             # local testing indicates the status is "Finalizing" for a few seconds after completion
-            sleep 15
+            sleep 30
 
             # check again...
             STATUS=$(uds zarf tools kubectl get backups -n velero ${BACKUP_NAME} -o jsonpath='{.status.phase}')