From e967c19a1f2c05965ecea313ebb1c79458f7a78d Mon Sep 17 00:00:00 2001 From: yyvess Date: Mon, 29 Jan 2024 10:03:00 +0100 Subject: [PATCH] feat(doc): Improve Readme & sample --- .github/workflows/build.yml | 7 +- README.md | 29 +++-- .../ha/postgres-istio-values.cue | 12 +- samples/ha/postgres.yaml | 30 +++++ samples/minimum/minimum-values.cue | 18 +++ test/certificate-values.cue | 2 +- test/certificate.yaml | 2 +- test/minimum-values.cue | 12 -- test/minimum.yaml | 111 ------------------ ...duction-istio.yaml => postgres-istio.yaml} | 4 +- test/test.sh | 4 +- test/virtualservice-values.cue | 2 +- test/virtualservice.yaml | 2 +- 13 files changed, 87 insertions(+), 148 deletions(-) rename test/production-istio-values.cue => samples/ha/postgres-istio-values.cue (78%) create mode 100644 samples/ha/postgres.yaml create mode 100644 samples/minimum/minimum-values.cue delete mode 100644 test/minimum-values.cue rename test/{production-istio.yaml => postgres-istio.yaml} (98%) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4975391..509ad6c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -24,9 +24,12 @@ jobs: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Vet module + - name: Vet module minimum run: | - timoni mod vet . -f test/minimum-values.cue + timoni mod vet . -f samples/minimum/minimum-values.cue + - name: Vet module ha + run: | + timoni mod vet . -f samples/ha/postgres-istio-values.cue - name: Push and Sign run: | timoni mod push . \ diff --git a/README.md b/README.md index 680b889..4c489b5 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,24 @@ -# keycloak +# Keycloak Timoni module -A [timoni.sh](http://timoni.sh) module for deploying [keycloak](https://www.keycloak.org/) on Kubernetes clusters. +[![Release](https://img.shields.io/github/v/release/yyvess/keycloak-timoni.svg)](https://github.com//yyvess/keycloak-timoni/releases) +[![timoni.sh](https://img.shields.io/badge/timoni.sh-v0.18.0-7e56c2)](https://timoni.sh) +[![kubernetes](https://img.shields.io/badge/kubernetes-v1.29.0-326CE5?logo=kubernetes&logoColor=white)](https://kubernetes.io) +[![License](https://img.shields.io/github/license/nalum/cert-manager-module)](https://github.com/nalum/cert-manager-module/blob/main/LICENSE) + +* [Keycloak](https://www.keycloak.org/) is an Open Source Identity and Access Management +* [Timoni.sh](http://timoni.sh) is an alternative of Helm chart based on [CUE](https://cuelang.org/) + + + +A [timoni.sh](http://timoni.sh) module for deploying [keycloak](https://www.keycloak.org/) to Kubernetes clusters. -> [!IMPORTANT] -> Note that module in under development and is still in its infancy. -> Any feedback and PR are welcome +> [!IMPORTANT] +> Note that module is on beta, any feedback and PR are welcome ## Install -To create an instance, create a file `my-values.cue` with the following content: +To create a minimum instance, create a file `my-values.cue` with the following content: ```cue values: { @@ -21,9 +30,10 @@ values: { {name: "KC_LOG_LEVEL", value: "INFO"}, ] } - ``` + + And apply the values with: ```shell @@ -31,8 +41,7 @@ timoni -n keycloak apply keycloak oci://ghcr.io/yyvess/keycloak \ --values ./my-values.cue ``` -By default, the server uses the dev-file database. This is the default database that the server will use to persist data and only exists for development use-cases. The dev-file database **is not suitable for production use-cases**, and must be replaced before deploying to production. - +By default, the server uses the **dev-file** database on an empty volume! The dev-file database **is not suitable for production use-cases**, and must be replaced with an others database type on production. ## Uninstall @@ -44,4 +53,4 @@ timoni -n keycloak delete keycloak ## Configuration -Look samples on test folder \ No newline at end of file +Some configuration examples can be found on [samples](samples) directory. diff --git a/test/production-istio-values.cue b/samples/ha/postgres-istio-values.cue similarity index 78% rename from test/production-istio-values.cue rename to samples/ha/postgres-istio-values.cue index 7ed0a94..0b88370 100644 --- a/test/production-istio-values.cue +++ b/samples/ha/postgres-istio-values.cue @@ -1,6 +1,8 @@ -// Note that this file must have no imports and all values must be concrete. - -// Unsecure Keycloak deployment in http with HA +// +// Keycloak HA deployment with Istio & Postgres database +// +// ! Requird a cluster with Cert manager, Istio & Zalando Postgres operator +// @if(!debug) @@ -49,7 +51,7 @@ values: { username: { valueFrom: { secretKeyRef: { - name: "keycloakdb.credentials" + name: "keycloakdb-keycloak-owner-user.minimal-postgres.credentials" key: "username" } } @@ -57,7 +59,7 @@ values: { password: { valueFrom: { secretKeyRef: { - name: "keycloakdb.credentials" + name: "keycloakdb-keycloak-owner-user.minimal-postgres.credentials" key: "password" } } diff --git a/samples/ha/postgres.yaml b/samples/ha/postgres.yaml new file mode 100644 index 0000000..06677f2 --- /dev/null +++ b/samples/ha/postgres.yaml @@ -0,0 +1,30 @@ +##### +# +# Deploy minimal postgres database +# +# kubectl apply -n postgres -f samples/ha/postgres.yaml +# +# Required Zalando Postgres operator installed on the cluster +# https://github.com/zalando/postgres-operator?tab=readme-ov-file +# + +apiVersion: "acid.zalan.do/v1" +kind: postgresql +metadata: + name: minimal-postgres +spec: + teamId: myorgs + spiloFSGroup: 103 + spiloRunAsGroup: 103 + spiloRunAsUser: 101 + volume: + size: 1Gi + numberOfInstances: 1 + preparedDatabases: + keycloakdb: + defaultUsers: false + schemas: + keycloak: + defaultUsers: true + postgresql: + version: "15" \ No newline at end of file diff --git a/samples/minimum/minimum-values.cue b/samples/minimum/minimum-values.cue new file mode 100644 index 0000000..c6f61c1 --- /dev/null +++ b/samples/minimum/minimum-values.cue @@ -0,0 +1,18 @@ +// +// Keycloak deployment minimum requirdement +// +// ! Not for prodution usage, Keycloak configuration is store on an empty directory +// + +@if(!debug) + +package main + +// Defaults +values: { + + admin: { + password: {value: "admin"} + } + +} diff --git a/test/certificate-values.cue b/test/certificate-values.cue index a4a4e69..7437ccb 100644 --- a/test/certificate-values.cue +++ b/test/certificate-values.cue @@ -23,7 +23,7 @@ values: { certificate: { duration: "2160h0m0s" renewBefore: "360h0m0s" - subject: organizations: ["zelros.com"] + subject: organizations: ["myorg.com"] privateKey: { algorithm: "RSA" encoding: "PKCS1" diff --git a/test/certificate.yaml b/test/certificate.yaml index 2837602..4c64c37 100644 --- a/test/certificate.yaml +++ b/test/certificate.yaml @@ -28,7 +28,7 @@ spec: secretName: keycloak-cert subject: organizations: - - zelros.com + - myorg.com --- apiVersion: v1 immutable: true diff --git a/test/minimum-values.cue b/test/minimum-values.cue deleted file mode 100644 index e2c1d89..0000000 --- a/test/minimum-values.cue +++ /dev/null @@ -1,12 +0,0 @@ -@if(!debug) - -package main - -// Defaults -values: { - - admin: { - password: {value: "admin"} - } - -} diff --git a/test/minimum.yaml b/test/minimum.yaml index 24d9dcf..e69de29 100644 --- a/test/minimum.yaml +++ b/test/minimum.yaml @@ -1,111 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: test ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: web - app.kubernetes.io/managed-by: timoni - app.kubernetes.io/name: keycloak - app.kubernetes.io/version: 0.0.0-devel - name: keycloak-web - namespace: test -spec: - ports: - - appProtocol: http - name: http - port: 8080 - protocol: TCP - targetPort: http - selector: - app.kubernetes.io/name: keycloak - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/managed-by: timoni - app.kubernetes.io/name: keycloak - app.kubernetes.io/version: 0.0.0-devel - name: keycloak - namespace: test -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: keycloak - template: - metadata: - labels: - app.kubernetes.io/name: keycloak - spec: - containers: - - command: - - /opt/keycloak/bin/kc.sh - - start - env: - - name: KC_HEALTH_ENABLED - value: "true" - - name: KC_HTTP_ENABLED - value: "true" - - name: KC_CACHE - value: local - - name: KEYCLOAK_ADMIN - value: admin - - name: KEYCLOAK_ADMIN_PASSWORD - value: admin - image: quay.io/keycloak/keycloak:23.0@sha256:cff31dc6fbb0ab0b66176b990e6b9e262fa74a501abb9a4bfa4a529cbc8a526a - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 3 - httpGet: - path: /health - port: http - scheme: HTTP - periodSeconds: 30 - successThreshold: 1 - timeoutSeconds: 10 - name: keycloak - ports: - - containerPort: 8080 - name: http - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /health - port: http - scheme: HTTP - periodSeconds: 15 - successThreshold: 1 - timeoutSeconds: 10 - resources: - requests: - cpu: 200m - memory: 768Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - startupProbe: - failureThreshold: 30 - httpGet: - path: /health - port: http - scheme: HTTP - initialDelaySeconds: 30 - periodSeconds: 15 - volumeMounts: [] - serviceAccountName: default - volumes: [] ---- diff --git a/test/production-istio.yaml b/test/postgres-istio.yaml similarity index 98% rename from test/production-istio.yaml rename to test/postgres-istio.yaml index 98b2dca..e84e706 100644 --- a/test/production-istio.yaml +++ b/test/postgres-istio.yaml @@ -288,12 +288,12 @@ spec: valueFrom: secretKeyRef: key: username - name: keycloakdb.credentials + name: keycloakdb-keycloak-owner-user.minimal-postgres.credentials - name: KC_DB_PASSWORD valueFrom: secretKeyRef: key: password - name: keycloakdb.credentials + name: keycloakdb-keycloak-owner-user.minimal-postgres.credentials - name: KC_PROXY value: edge - name: KC_HOSTNAME_STRICT diff --git a/test/test.sh b/test/test.sh index 5ca29dc..d93bd7a 100755 --- a/test/test.sh +++ b/test/test.sh @@ -1,6 +1,6 @@ #!/bin/bash echo "minimum-values" -timoni -n test build keycloak ../ --values ../values.cue --values ./minimum-values.cue > ./minimum.yaml +timoni -n test build keycloak ../ --values ../values.cue --values ../samples/minimum/minimum-values.cue > ./minimum.yaml echo "http-values" timoni -n zel-test build keycloak ../ --values ../values.cue --values ./http-values.cue > ./http.yaml echo "sa-values" @@ -18,4 +18,4 @@ timoni -n zel-test build keycloak ../ --values ../values.cue --values ./ingress echo "virtual-service-values" timoni -n zel-test build keycloak ../ --values ../values.cue --values ./virtualservice-values.cue > ./virtualservice.yaml echo "production-istio-values" -timoni -n zel-test build keycloak ../ --values ../values.cue --values ./production-istio-values.cue > ./production-istio.yaml +timoni -n zel-test build keycloak ../ --values ../values.cue --values ../samples/ha/postgres-istio-values.cue > ./postgres-istio.yaml diff --git a/test/virtualservice-values.cue b/test/virtualservice-values.cue index b10eb6a..9ef41d0 100644 --- a/test/virtualservice-values.cue +++ b/test/virtualservice-values.cue @@ -19,7 +19,7 @@ values: { virtualService: { gateways: [{"istio-system/istio-ingressgateway"}] hosts: [ - "keycloak.dev.eu.zelros.com", + "keycloak.myorg.com", ] } diff --git a/test/virtualservice.yaml b/test/virtualservice.yaml index 075886b..8142b3d 100644 --- a/test/virtualservice.yaml +++ b/test/virtualservice.yaml @@ -39,7 +39,7 @@ spec: gateways: - istio-system/istio-ingressgateway hosts: - - keycloak.dev.eu.zelros.com + - keycloak.myorg.com http: - directResponse: status: 403