sa_8001/cmoa_installer_ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
havelight-ee
2023-02-06 15:01:53 +09:00
commit 2b70528618
1022 changed files with 119427 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
roles/cmoa_install/files/04-keycloak/Chart.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: v1
appVersion: 4.0.0
description: Modified Authentication Module By EXEM CloudMOA
home: https://www.keycloak.org/
icon: https://www.keycloak.org/resources/images/keycloak_logo_480x108.png
keywords:
- sso
- idm
- openid connect
- saml
- kerberos
- ldap
maintainers:
- email: unguiculus@gmail.com
name: unguiculus
- email: thomas.darimont+github@gmail.com
name: thomasdarimont
name: keycloak
sources:
- https://github.com/codecentric/helm-charts
- https://github.com/jboss-dockerfiles/keycloak
- https://github.com/bitnami/charts/tree/master/bitnami/postgresql
version: 11.0.1

6
roles/cmoa_install/files/04-keycloak/OWNERS Normal file
View File

@@ -0,0 +1,6 @@
approvers:
- unguiculus
- thomasdarimont
reviewers:
- unguiculus
- thomasdarimont

765
roles/cmoa_install/files/04-keycloak/README.md Normal file
View File

@@ -0,0 +1,765 @@
# Keycloak
[Keycloak](http://www.keycloak.org/) is an open source identity and access management for modern applications and services.
## TL;DR;
```console
$ helm install keycloak codecentric/keycloak
```
## Introduction
This chart bootstraps a [Keycloak](http://www.keycloak.org/) StatefulSet on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
It provisions a fully featured Keycloak installation.
For more information on Keycloak and its capabilities, see its [documentation](http://www.keycloak.org/documentation.html).
## Prerequisites Details
The chart has an optional dependency on the [PostgreSQL](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) chart.
By default, the PostgreSQL chart requires PV support on underlying infrastructure (may be disabled).
## Installing the Chart
To install the chart with the release name `keycloak`:
```console
$ helm install keycloak codecentric/keycloak
```
## Uninstalling the Chart
To uninstall the `keycloak` deployment:
```console
$ helm uninstall keycloak
```
## Configuration
The following table lists the configurable parameters of the Keycloak chart and their default values.
| Parameter | Description | Default |
|---|---|---|
| `fullnameOverride` | Optionally override the fully qualified name | `""` |
| `nameOverride` | Optionally override the name | `""` |
| `replicas` | The number of replicas to create | `1` |
| `image.repository` | The Keycloak image repository | `docker.io/jboss/keycloak` |
| `image.tag` | Overrides the Keycloak image tag whose default is the chart version | `""` |
| `image.pullPolicy` | The Keycloak image pull policy | `IfNotPresent` |
| `imagePullSecrets` | Image pull secrets for the Pod | `[]` |
| `hostAliases` | Mapping between IPs and hostnames that will be injected as entries in the Pod's hosts files | `[]` |
| `enableServiceLinks` | Indicates whether information about services should be injected into Pod's environment variables, matching the syntax of Docker links | `true` |
| `podManagementPolicy` | Pod management policy. One of `Parallel` or `OrderedReady` | `Parallel` |
| `restartPolicy` | Pod restart policy. One of `Always`, `OnFailure`, or `Never` | `Always` |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `serviceAccount.name` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | `""` |
| `serviceAccount.annotations` | Additional annotations for the ServiceAccount | `{}` |
| `serviceAccount.labels` | Additional labels for the ServiceAccount | `{}` |
| `serviceAccount.imagePullSecrets` | Image pull secrets that are attached to the ServiceAccount | `[]` |
| `rbac.create` | Specifies whether RBAC resources are to be created | `false`
| `rbac.rules` | Custom RBAC rules, e. g. for KUBE_PING | `[]`
| `podSecurityContext` | SecurityContext for the entire Pod. Every container running in the Pod will inherit this SecurityContext. This might be relevant when other components of the environment inject additional containers into running Pods (service meshes are the most prominent example for this) | `{"fsGroup":1000}` |
| `securityContext` | SecurityContext for the Keycloak container | `{"runAsNonRoot":true,"runAsUser":1000}` |
| `extraInitContainers` | Additional init containers, e. g. for providing custom themes | `[]` |
| `extraContainers` | Additional sidecar containers, e. g. for a database proxy, such as Google's cloudsql-proxy | `[]` |
| `lifecycleHooks` | Lifecycle hooks for the Keycloak container | `{}` |
| `terminationGracePeriodSeconds` | Termination grace period in seconds for Keycloak shutdown. Clusters with a large cache might need to extend this to give Infinispan more time to rebalance | `60` |
| `clusterDomain` | The internal Kubernetes cluster domain | `cluster.local` |
| `command` | Overrides the default entrypoint of the Keycloak container | `[]` |
| `args` | Overrides the default args for the Keycloak container | `[]` |
| `extraEnv` | Additional environment variables for Keycloak | `""` |
| `extraEnvFrom` | Additional environment variables for Keycloak mapped from a Secret or ConfigMap | `""` |
| `priorityClassName` | Pod priority class name | `""` |
| `affinity` | Pod affinity | Hard node and soft zone anti-affinity |
| `nodeSelector` | Node labels for Pod assignment | `{}` |
| `tolerations` | Node taints to tolerate | `[]` |
| `podLabels` | Additional Pod labels | `{}` |
| `podAnnotations` | Additional Pod annotations | `{}` |
| `livenessProbe` | Liveness probe configuration | `{"httpGet":{"path":"/health/live","port":"http"},"initialDelaySeconds":300,"timeoutSeconds":5}` |
| `readinessProbe` | Readiness probe configuration | `{"httpGet":{"path":"/auth/realms/master","port":"http"},"initialDelaySeconds":30,"timeoutSeconds":1}` |
| `resources` | Pod resource requests and limits | `{}` |
| `startupScripts` | Startup scripts to run before Keycloak starts up | `{"keycloak.cli":"{{- .Files.Get "scripts/keycloak.cli" \| nindent 2 }}"}` |
| `extraVolumes` | Add additional volumes, e. g. for custom themes | `""` |
| `extraVolumeMounts` | Add additional volumes mounts, e. g. for custom themes | `""` |
| `extraPorts` | Add additional ports, e. g. for admin console or exposing JGroups ports | `[]` |
| `podDisruptionBudget` | Pod disruption budget | `{}` |
| `statefulsetAnnotations` | Annotations for the StatefulSet | `{}` |
| `statefulsetLabels` | Additional labels for the StatefulSet | `{}` |
| `secrets` | Configuration for secrets that should be created | `{}` |
| `service.annotations` | Annotations for headless and HTTP Services | `{}` |
| `service.labels` | Additional labels for headless and HTTP Services | `{}` |
| `service.type` | The Service type | `ClusterIP` |
| `service.loadBalancerIP` | Optional IP for the load balancer. Used for services of type LoadBalancer only | `""` |
| `loadBalancerSourceRanges` | Optional List of allowed source ranges (CIDRs). Used for service of type LoadBalancer only | `[]` |
| `service.httpPort` | The http Service port | `80` |
| `service.httpNodePort` | The HTTP Service node port if type is NodePort | `""` |
| `service.httpsPort` | The HTTPS Service port | `8443` |
| `service.httpsNodePort` | The HTTPS Service node port if type is NodePort | `""` |
| `service.httpManagementPort` | The WildFly management Service port | `8443` |
| `service.httpManagementNodePort` | The WildFly management node port if type is NodePort | `""` |
| `service.extraPorts` | Additional Service ports, e. g. for custom admin console | `[]` |
| `service.sessionAffinity` | sessionAffinity for Service, e. g. "ClientIP" | `""` |
| `service.sessionAffinityConfig` | sessionAffinityConfig for Service | `{}` |
| `ingress.enabled` | If `true`, an Ingress is created | `false` |
| `ingress.rules` | List of Ingress Ingress rule | see below |
| `ingress.rules[0].host` | Host for the Ingress rule | `{{ .Release.Name }}.keycloak.example.com` |
| `ingress.rules[0].paths` | Paths for the Ingress rule | `[/]` |
| `ingress.servicePort` | The Service port targeted by the Ingress | `http` |
| `ingress.annotations` | Ingress annotations | `{}` |
| `ingress.labels` | Additional Ingress labels | `{}` |
| `ingress.tls` | TLS configuration | see below |
| `ingress.tls[0].hosts` | List of TLS hosts | `[keycloak.example.com]` |
| `ingress.tls[0].secretName` | Name of the TLS secret | `""` |
| `ingress.console.enabled` | If `true`, an Ingress for the console is created | `false` |
| `ingress.console.rules` | List of Ingress Ingress rule for the console | see below |
| `ingress.console.rules[0].host` | Host for the Ingress rule for the console | `{{ .Release.Name }}.keycloak.example.com` |
| `ingress.console.rules[0].paths` | Paths for the Ingress rule for the console | `[/auth/admin]` |
| `ingress.console.annotations` | Ingress annotations for the console | `{}` |
| `networkPolicy.enabled` | If true, the ingress network policy is deployed | `false`
| `networkPolicy.extraFrom` | Allows to define allowed external traffic (see Kubernetes doc for network policy `from` format) | `[]`
| `route.enabled` | If `true`, an OpenShift Route is created | `false` |
| `route.path` | Path for the Route | `/` |
| `route.annotations` | Route annotations | `{}` |
| `route.labels` | Additional Route labels | `{}` |
| `route.host` | Host name for the Route | `""` |
| `route.tls.enabled` | If `true`, TLS is enabled for the Route | `true` |
| `route.tls.insecureEdgeTerminationPolicy` | Insecure edge termination policy of the Route. Can be `None`, `Redirect`, or `Allow` | `Redirect` |
| `route.tls.termination` | TLS termination of the route. Can be `edge`, `passthrough`, or `reencrypt` | `edge` |
| `pgchecker.image.repository` | Docker image used to check Postgresql readiness at startup | `docker.io/busybox` |
| `pgchecker.image.tag` | Image tag for the pgchecker image | `1.32` |
| `pgchecker.image.pullPolicy` | Image pull policy for the pgchecker image | `IfNotPresent` |
| `pgchecker.securityContext` | SecurityContext for the pgchecker container | `{"allowPrivilegeEscalation":false,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000}` |
| `pgchecker.resources` | Resource requests and limits for the pgchecker container | `{"limits":{"cpu":"10m","memory":"16Mi"},"requests":{"cpu":"10m","memory":"16Mi"}}` |
| `postgresql.enabled` | If `true`, the Postgresql dependency is enabled | `true` |
| `postgresql.postgresqlUsername` | PostgreSQL User to create | `keycloak` |
| `postgresql.postgresqlPassword` | PostgreSQL Password for the new user | `keycloak` |
| `postgresql.postgresqlDatabase` | PostgreSQL Database to create | `keycloak` |
| `serviceMonitor.enabled` | If `true`, a ServiceMonitor resource for the prometheus-operator is created | `false` |
| `serviceMonitor.namespace` | Optionally sets a target namespace in which to deploy the ServiceMonitor resource | `""` |
| `serviceMonitor.namespaceSelector` | Optionally sets a namespace selector for the ServiceMonitor | `{}` |
| `serviceMonitor.annotations` | Annotations for the ServiceMonitor | `{}` |
| `serviceMonitor.labels` | Additional labels for the ServiceMonitor | `{}` |
| `serviceMonitor.interval` | Interval at which Prometheus scrapes metrics | `10s` |
| `serviceMonitor.scrapeTimeout` | Timeout for scraping | `10s` |
| `serviceMonitor.path` | The path at which metrics are served | `/metrics` |
| `serviceMonitor.port` | The Service port at which metrics are served | `http` |
| `extraServiceMonitor.enabled` | If `true`, an additional ServiceMonitor resource for the prometheus-operator is created. Could be used for additional metrics via [Keycloak Metrics SPI](https://github.com/aerogear/keycloak-metrics-spi) | `false` |
| `extraServiceMonitor.namespace` | Optionally sets a target namespace in which to deploy the additional ServiceMonitor resource | `""` |
| `extraServiceMonitor.namespaceSelector` | Optionally sets a namespace selector for the additional ServiceMonitor | `{}` |
| `extraServiceMonitor.annotations` | Annotations for the additional ServiceMonitor | `{}` |
| `extraServiceMonitor.labels` | Additional labels for the additional ServiceMonitor | `{}` |
| `extraServiceMonitor.interval` | Interval at which Prometheus scrapes metrics | `10s` |
| `extraServiceMonitor.scrapeTimeout` | Timeout for scraping | `10s` |
| `extraServiceMonitor.path` | The path at which metrics are served | `/metrics` |
| `extraServiceMonitor.port` | The Service port at which metrics are served | `http` |
| `prometheusRule.enabled` | If `true`, a PrometheusRule resource for the prometheus-operator is created | `false` |
| `prometheusRule.annotations` | Annotations for the PrometheusRule | `{}` |
| `prometheusRule.labels` | Additional labels for the PrometheusRule | `{}` |
| `prometheusRule.rules` | List of rules for Prometheus | `[]` |
| `autoscaling.enabled` | Enable creation of a HorizontalPodAutoscaler resource | `false` |
| `autoscaling.labels` | Additional labels for the HorizontalPodAutoscaler resource | `{}` |
| `autoscaling.minReplicas` | The minimum number of Pods when autoscaling is enabled | `3` |
| `autoscaling.maxReplicas` | The maximum number of Pods when autoscaling is enabled | `10` |
| `autoscaling.metrics` | The metrics configuration for the HorizontalPodAutoscaler | `[{"resource":{"name":"cpu","target":{"averageUtilization":80,"type":"Utilization"}},"type":"Resource"}]` |
| `autoscaling.behavior` | The scaling policy configuration for the HorizontalPodAutoscaler | `{"scaleDown":{"policies":[{"periodSeconds":300,"type":"Pods","value":1}],"stabilizationWindowSeconds":300}` |
| `test.enabled` | If `true`, test resources are created | `false` |
| `test.image.repository` | The image for the test Pod | `docker.io/unguiculus/docker-python3-phantomjs-selenium` |
| `test.image.tag` | The tag for the test Pod image | `v1` |
| `test.image.pullPolicy` | The image pull policy for the test Pod image | `IfNotPresent` |
| `test.podSecurityContext` | SecurityContext for the entire test Pod | `{"fsGroup":1000}` |
| `test.securityContext` | SecurityContext for the test container | `{"runAsNonRoot":true,"runAsUser":1000}` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example:
```console
$ helm install keycloak codecentric/keycloak -n keycloak --set replicas=1
```
Alternatively, a YAML file that specifies the values for the parameters can be provided while
installing the chart. For example:
```console
$ helm install keycloak codecentric/keycloak -n keycloak --values values.yaml
```
The chart offers great flexibility.
It can be configured to work with the official Keycloak Docker image but any custom image can be used as well.
For the offical Docker image, please check it's configuration at https://github.com/keycloak/keycloak-containers/tree/master/server.
### Usage of the `tpl` Function
The `tpl` function allows us to pass string values from `values.yaml` through the templating engine.
It is used for the following values:
* `extraInitContainers`
* `extraContainers`
* `extraEnv`
* `extraEnvFrom`
* `affinity`
* `extraVolumeMounts`
* `extraVolumes`
* `livenessProbe`
* `readinessProbe`
Additionally, custom labels and annotations can be set on various resources the values of which being passed through `tpl` as well.
It is important that these values be configured as strings.
Otherwise, installation will fail.
See example for Google Cloud Proxy or default affinity configuration in `values.yaml`.
### JVM Settings
Keycloak sets the following system properties by default:
`-Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS -Djava.awt.headless=true`
You can override these by setting the `JAVA_OPTS` environment variable.
Make sure you configure container support.
This allows you to only configure memory using Kubernetes resources and the JVM will automatically adapt.
```yaml
extraEnv: |
- name: JAVA_OPTS
value: >-
-XX:+UseContainerSupport
-XX:MaxRAMPercentage=50.0
-Djava.net.preferIPv4Stack=true
-Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
-Djava.awt.headless=true
```
### Database Setup
By default, Bitnami's [PostgreSQL](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) chart is deployed and used as database.
Please refer to this chart for additional PostgreSQL configuration options.
#### Using an External Database
The Keycloak Docker image supports various database types.
Configuration happens in a generic manner.
##### Using a Secret Managed by the Chart
The following examples uses a PostgreSQL database with a secret that is managed by the Helm chart.
```yaml
postgresql:
# Disable PostgreSQL dependency
enabled: false
extraEnv: |
- name: DB_VENDOR
value: postgres
- name: DB_ADDR
value: mypostgres
- name: DB_PORT
value: "5432"
- name: DB_DATABASE
value: mydb
extraEnvFrom: |
- secretRef:
name: '{{ include "keycloak.fullname" . }}-db'
secrets:
db:
stringData:
DB_USER: '{{ .Values.dbUser }}'
DB_PASSWORD: '{{ .Values.dbPassword }}'
```
`dbUser` and `dbPassword` are custom values you'd then specify on the commandline using `--set-string`.
##### Using an Existing Secret
The following examples uses a PostgreSQL database with a secret.
Username and password are mounted as files.
```yaml
postgresql:
# Disable PostgreSQL dependency
enabled: false
extraEnv: |
- name: DB_VENDOR
value: postgres
- name: DB_ADDR
value: mypostgres
- name: DB_PORT
value: "5432"
- name: DB_DATABASE
value: mydb
- name: DB_USER_FILE
value: /secrets/db-creds/user
- name: DB_PASSWORD_FILE
value: /secrets/db-creds/password
extraVolumeMounts: |
- name: db-creds
mountPath: /secrets/db-creds
readOnly: true
extraVolumes: |
- name: db-creds
secret:
secretName: keycloak-db-creds
```
### Creating a Keycloak Admin User
The Keycloak Docker image supports creating an initial admin user.
It must be configured via environment variables:
* `KEYCLOAK_USER` or `KEYCLOAK_USER_FILE`
* `KEYCLOAK_PASSWORD` or `KEYCLOAK_PASSWORD_FILE`
Please refer to the section on database configuration for how to configure a secret for this.
### High Availability and Clustering
For high availability, Keycloak must be run with multiple replicas (`replicas > 1`).
The chart has a helper template (`keycloak.serviceDnsName`) that creates the DNS name based on the headless service.
#### DNS_PING Service Discovery
JGroups discovery via DNS_PING can be configured as follows:
```yaml
extraEnv: |
- name: JGROUPS_DISCOVERY_PROTOCOL
value: dns.DNS_PING
- name: JGROUPS_DISCOVERY_PROPERTIES
value: 'dns_query={{ include "keycloak.serviceDnsName" . }}'
- name: CACHE_OWNERS_COUNT
value: "2"
- name: CACHE_OWNERS_AUTH_SESSIONS_COUNT
value: "2"
```
#### KUBE_PING Service Discovery
Recent versions of Keycloak include a new Kubernetes native [KUBE_PING](https://github.com/jgroups-extras/jgroups-kubernetes) service discovery protocol.
This requires a little more configuration than DNS_PING but can easily be achieved with the Helm chart.
As with DNS_PING some environment variables must be configured as follows:
```yaml
extraEnv: |
- name: JGROUPS_DISCOVERY_PROTOCOL
value: kubernetes.KUBE_PING
- name: KUBERNETES_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CACHE_OWNERS_COUNT
value: "2"
- name: CACHE_OWNERS_AUTH_SESSIONS_COUNT
value: "2"
```
However, the Keycloak Pods must also get RBAC permissions to `get` and `list` Pods in the namespace which can be configured as follows:
```yaml
rbac:
create: true
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
```
#### Autoscaling
Due to the caches in Keycloak only replicating to a few nodes (two in the example configuration above) and the limited controls around autoscaling built into Kubernetes, it has historically been problematic to autoscale Keycloak.
However, in Kubernetes 1.18 [additional controls were introduced](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-configurable-scaling-behavior) which make it possible to scale down in a more controlled manner.
The example autoscaling configuration in the values file scales from three up to a maximum of ten Pods using CPU utilization as the metric. Scaling up is done as quickly as required but scaling down is done at a maximum rate of one Pod per five minutes.
Autoscaling can be enabled as follows:
```yaml
autoscaling:
enabled: true
```
KUBE_PING service discovery seems to be the most reliable mechanism to use when enabling autoscaling, due to being faster than DNS_PING at detecting changes in the cluster.
### Running Keycloak Behind a Reverse Proxy
When running Keycloak behind a reverse proxy, which is the case when using an ingress controller,
proxy address forwarding must be enabled as follows:
```yaml
extraEnv: |
- name: PROXY_ADDRESS_FORWARDING
value: "true"
```
### Providing a Custom Theme
One option is certainly to provide a custom Keycloak image that includes the theme.
However, if you prefer to stick with the official Keycloak image, you can use an init container as theme provider.
Create your own theme and package it up into a Docker image.
```docker
FROM busybox
COPY mytheme /mytheme
```
In combination with an `emptyDir` that is shared with the Keycloak container, configure an init container that runs your theme image and copies the theme over to the right place where Keycloak will pick it up automatically.
```yaml
extraInitContainers: |
- name: theme-provider
image: myuser/mytheme:1
imagePullPolicy: IfNotPresent
command:
- sh
args:
- -c
- |
echo "Copying theme..."
cp -R /mytheme/* /theme
volumeMounts:
- name: theme
mountPath: /theme
extraVolumeMounts: |
- name: theme
mountPath: /opt/jboss/keycloak/themes/mytheme
extraVolumes: |
- name: theme
emptyDir: {}
```
### Setting a Custom Realm
A realm can be added by creating a secret or configmap for the realm json file and then supplying this into the chart.
It can be mounted using `extraVolumeMounts` and then referenced as environment variable `KEYCLOAK_IMPORT`.
First we need to create a Secret from the realm JSON file using `kubectl create secret generic realm-secret --from-file=realm.json` which we need to reference in `values.yaml`:
```yaml
extraVolumes: |
- name: realm-secret
secret:
secretName: realm-secret
extraVolumeMounts: |
- name: realm-secret
mountPath: "/realm/"
readOnly: true
extraEnv: |
- name: KEYCLOAK_IMPORT
value: /realm/realm.json
```
Alternatively, the realm file could be added to a custom image.
After startup the web admin console for the realm should be available on the path /auth/admin/\<realm name>/console/.
### Using Google Cloud SQL Proxy
Depending on your environment you may need a local proxy to connect to the database.
This is, e. g., the case for Google Kubernetes Engine when using Google Cloud SQL.
Create the secret for the credentials as documented [here](https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine) and configure the proxy as a sidecar.
Because `extraContainers` is a string that is passed through the `tpl` function, it is possible to create custom values and use them in the string.
```yaml
postgresql:
# Disable PostgreSQL dependency
enabled: false
# Custom values for Google Cloud SQL
cloudsql:
project: my-project
region: europe-west1
instance: my-instance
extraContainers: |
- name: cloudsql-proxy
image: gcr.io/cloudsql-docker/gce-proxy:1.17
command:
- /cloud_sql_proxy
args:
- -instances={{ .Values.cloudsql.project }}:{{ .Values.cloudsql.region }}:{{ .Values.cloudsql.instance }}=tcp:5432
- -credential_file=/secrets/cloudsql/credentials.json
volumeMounts:
- name: cloudsql-creds
mountPath: /secrets/cloudsql
readOnly: true
extraVolumes: |
- name: cloudsql-creds
secret:
secretName: cloudsql-instance-credentials
extraEnv: |
- name: DB_VENDOR
value: postgres
- name: DB_ADDR
value: "127.0.0.1"
- name: DB_PORT
value: "5432"
- name: DB_DATABASE
value: postgres
- name: DB_USER
value: myuser
- name: DB_PASSWORD
value: mypassword
```
### Changing the Context Path
By default, Keycloak is served under context `/auth`.
This can be changed as follows:
```yaml
contextPath: mycontext
startupScripts:
# cli script that reconfigures WildFly
contextPath.cli: |
embed-server --server-config=standalone-ha.xml --std-out=echo
batch
{{- if ne .Values.contextPath "auth" }}
/subsystem=keycloak-server/:write-attribute(name=web-context,value={{ if eq .Values.contextPath "" }}/{{ else }}{{ .Values.contextPath }}{{ end }})
{{- if eq .Values.contextPath "" }}
/subsystem=undertow/server=default-server/host=default-host:write-attribute(name=default-web-module,value=keycloak-server.war)
{{- end }}
{{- end }}
run-batch
stop-embedded-server
livenessProbe: |
httpGet:
path: {{ if ne .Values.contextPath "" }}/{{ .Values.contextPath }}{{ end }}/
port: http
initialDelaySeconds: 300
timeoutSeconds: 5
readinessProbe: |
httpGet:
path: {{ if ne .Values.contextPath "" }}/{{ .Values.contextPath }}{{ end }}/realms/master
port: http
initialDelaySeconds: 30
timeoutSeconds: 1
```
The above YAML references introduces the custom value `contextPath` which is possible because `startupScripts`, `livenessProbe`, and `readinessProbe` are templated using the `tpl` function.
Note that it must not start with a slash.
Alternatively, you may supply it via CLI flag:
```console
--set-string contextPath=mycontext
```
### Prometheus Metrics Support
#### WildFly Metrics
WildFly can expose metrics on the management port.
In order to achieve this, the environment variable `KEYCLOAK_STATISTICS` must be set.
```yaml
extraEnv: |
- name: KEYCLOAK_STATISTICS
value: all
```
Add a ServiceMonitor if using prometheus-operator:
```yaml
serviceMonitor:
# If `true`, a ServiceMonitor resource for the prometheus-operator is created
enabled: true
```
Checkout `values.yaml` for customizing the ServiceMonitor and for adding custom Prometheus rules.
Add annotations if you don't use prometheus-operator:
```yaml
service:
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9990"
```
#### Keycloak Metrics SPI
Optionally, it is possible to add [Keycloak Metrics SPI](https://github.com/aerogear/keycloak-metrics-spi) via init container.
A separate `ServiceMonitor` can be enabled to scrape metrics from the SPI:
```yaml
extraServiceMonitor:
# If `true`, an additional ServiceMonitor resource for the prometheus-operator is created
enabled: true
```
Checkout `values.yaml` for customizing this ServiceMonitor.
Note that the metrics endpoint is exposed on the HTTP port.
You may want to restrict access to it in your ingress controller configuration.
For ingress-nginx, this could be done as follows:
```yaml
annotations:
nginx.ingress.kubernetes.io/server-snippet: |
location ~* /auth/realms/[^/]+/metrics {
return 403;
}
```
## Why StatefulSet?
The chart sets node identifiers to the system property `jboss.node.name` which is in fact the pod name.
Node identifiers must not be longer than 23 characters.
This can be problematic because pod names are quite long.
We would have to truncate the chart's fullname to six characters because pods get a 17-character suffix (e. g. `-697f8b7655-mf5ht`).
Using a StatefulSet allows us to truncate to 20 characters leaving room for up to 99 replicas, which is much better.
Additionally, we get stable values for `jboss.node.name` which can be advantageous for cluster discovery.
The headless service that governs the StatefulSet is used for DNS discovery via DNS_PING.
## Upgrading
### From chart < 10.0.0
* Keycloak is updated to 12.0.4
The upgrade should be seemless.
No special care has to be taken.
### From chart versions < 9.0.0
The Keycloak chart received a major facelift and, thus, comes with breaking changes.
Opinionated stuff and things that are now baked into Keycloak's Docker image were removed.
Configuration is more generic making it easier to use custom Docker images that are configured differently than the official one.
* Values are no longer nested under `keycloak`.
* Besides setting the node identifier, no CLI changes are performed out of the box
* Environment variables for the Postresql dependency are set automatically if enabled.
Otherwise, no environment variables are set by default.
* Optionally enables creating RBAC resources with configurable rules (e. g. for KUBE_PING)
* PostgreSQL chart dependency is updated to 9.1.1
### From chart versions < 8.0.0
* Keycloak is updated to 10.0.0
* PostgreSQL chart dependency is updated to 8.9.5
The upgrade should be seemless.
No special care has to be taken.
### From chart versions < 7.0.0
Version 7.0.0 update breaks backwards-compatibility with the existing `keycloak.persistence.existingSecret` scheme.
#### Changes in Configuring Database Credentials from an Existing Secret
Both `DB_USER` and `DB_PASS` are always read from a Kubernetes Secret.
This is a requirement if you are provisioning database credentials dynamically - either via an Operator or some secret-management engine.
The variable referencing the password key name has been renamed from `keycloak.persistence.existingSecretKey` to `keycloak.persistence.existingSecretPasswordKey`
A new, optional variable for referencing the username key name for populating the `DB_USER` env has been added:
`keycloak.persistence.existingSecretUsernameKey`.
If `keycloak.persistence.existingSecret` is left unset, a new Secret will be provisioned populated with the `dbUser` and `dbPassword` Helm variables.
###### Example configuration:
```yaml
keycloak:
persistence:
existingSecret: keycloak-provisioned-db-credentials
existingSecretPasswordKey: PGPASSWORD
existingSecretUsernameKey: PGUSER
...
```
### From chart versions < 6.0.0
#### Changes in Probe Configuration
Now both readiness and liveness probes are configured as strings that are then passed through the `tpl` function.
This allows for greater customizability of the readiness and liveness probes.
The defaults are unchanged, but since 6.0.0 configured as follows:
```yaml
livenessProbe: |
httpGet:
path: {{ if ne .Values.keycloak.basepath "" }}/{{ .Values.keycloak.basepath }}{{ end }}/
port: http
initialDelaySeconds: 300
timeoutSeconds: 5
readinessProbe: |
httpGet:
path: {{ if ne .Values.keycloak.basepath "" }}/{{ .Values.keycloak.basepath }}{{ end }}/realms/master
port: http
initialDelaySeconds: 30
timeoutSeconds: 1
```
#### Changes in Existing Secret Configuration
This can be useful if you create a secret in a parent chart and want to reference that secret.
Applies to `keycloak.existingSecret` and `keycloak.persistence.existingSecret`.
_`values.yaml` of parent chart:_
```yaml
keycloak:
keycloak:
existingSecret: '{{ .Release.Name }}-keycloak-secret'
```
#### HTTPS Port Added
The HTTPS port was added to the pod and to the services.
As a result, service ports are now configured differently.
### From chart versions < 5.0.0
Version 5.0.0 is a major update.
* The chart now follows the new Kubernetes label recommendations:
https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/
* Several changes to the StatefulSet render an out-of-the-box upgrade impossible because StatefulSets only allow updates to a limited set of fields
* The chart uses the new support for running scripts at startup that has been added to Keycloak's Docker image.
If you use this feature, you will have to adjust your configuration
However, with the following manual steps an automatic upgrade is still possible:
1. Adjust chart configuration as necessary (e. g. startup scripts)
1. Perform a non-cascading deletion of the StatefulSet which keeps the pods running
1. Add the new labels to the pods
1. Run `helm upgrade`
Use a script like the following to add labels and to delete the StatefulSet:
```console
#!/bin/sh
release=<release>
namespace=<release_namespace>
kubectl delete statefulset -n "$namespace" -l app=keycloak -l release="$release" --cascade=false
kubectl label pod -n "$namespace" -l app=keycloak -l release="$release" app.kubernetes.io/name=keycloak
kubectl label pod -n "$namespace" -l app=keycloak -l release="$release" app.kubernetes.io/instance="$release"
```
**NOTE:** Version 5.0.0 also updates the Postgresql dependency which has received a major upgrade as well.
In case you use this dependency, the database must be upgraded first.
Please refer to the Postgresql chart's upgrading section in its README for instructions.

21
roles/cmoa_install/files/04-keycloak/charts/postgresql/.helmignore Normal file
View File

@@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

24
roles/cmoa_install/files/04-keycloak/charts/postgresql/Chart.yaml Normal file
View File

@@ -0,0 +1,24 @@
annotations:
category: Database
apiVersion: v1
appVersion: 11.8.0
description: Chart for PostgreSQL, an object-relational database management system
(ORDBMS) with an emphasis on extensibility and on standards-compliance.
home: https://www.postgresql.org/
icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-110x117.png
keywords:
- postgresql
- postgres
- database
- sql
- replication
- cluster
maintainers:
- email: containers@bitnami.com
name: Bitnami
- email: cedric@desaintmartin.fr
name: desaintmartin
name: postgresql
sources:
- https://github.com/bitnami/bitnami-docker-postgresql
version: 9.1.1

625
roles/cmoa_install/files/04-keycloak/charts/postgresql/README.md Normal file
View File

@@ -0,0 +1,625 @@
# PostgreSQL
[PostgreSQL](https://www.postgresql.org/) is an object-relational database management system (ORDBMS) with an emphasis on extensibility and on standards-compliance.
For HA, please see [this repo](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha)
## TL;DR;
```console
$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm install my-release bitnami/postgresql
```
## Introduction
This chart bootstraps a [PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This chart has been tested to work with NGINX Ingress, cert-manager, fluentd and Prometheus on top of the [BKPR](https://kubeprod.io/).
## Prerequisites
- Kubernetes 1.12+
- Helm 2.12+ or Helm 3.0-beta3+
- PV provisioner support in the underlying infrastructure
## Installing the Chart
To install the chart with the release name `my-release`:
```console
$ helm install my-release bitnami/postgresql
```
The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```console
$ helm delete my-release
```
The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release.
To delete the PVC's associated with `my-release`:
```console
$ kubectl delete pvc -l release=my-release
```
> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it.
## Parameters
The following tables lists the configurable parameters of the PostgreSQL chart and their default values.
| Parameter | Description | Default |
|-----------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------|
| `global.imageRegistry` | Global Docker Image registry | `nil` |
| `global.postgresql.postgresqlDatabase` | PostgreSQL database (overrides `postgresqlDatabase`) | `nil` |
| `global.postgresql.postgresqlUsername` | PostgreSQL username (overrides `postgresqlUsername`) | `nil` |
| `global.postgresql.existingSecret` | Name of existing secret to use for PostgreSQL passwords (overrides `existingSecret`) | `nil` |
| `global.postgresql.postgresqlPassword` | PostgreSQL admin password (overrides `postgresqlPassword`) | `nil` |
| `global.postgresql.servicePort` | PostgreSQL port (overrides `service.port`) | `nil` |
| `global.postgresql.replicationPassword` | Replication user password (overrides `replication.password`) | `nil` |
| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` (does not add image pull secrets to deployed pods) |
| `global.storageClass` | Global storage class for dynamic provisioning | `nil` |
| `image.registry` | PostgreSQL Image registry | `docker.io` |
| `image.repository` | PostgreSQL Image name | `bitnami/postgresql` |
| `image.tag` | PostgreSQL Image tag | `{TAG_NAME}` |
| `image.pullPolicy` | PostgreSQL Image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) |
| `image.debug` | Specify if debug values should be set | `false` |
| `nameOverride` | String to partially override postgresql.fullname template with a string (will prepend the release name) | `nil` |
| `fullnameOverride` | String to fully override postgresql.fullname template with a string | `nil` |
| `volumePermissions.enabled` | Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work) | `false` |
| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` |
| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` |
| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` |
| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` |
| `volumePermissions.securityContext.runAsUser` | User ID for the init container (when facing issues in OpenShift or uid unknown, try value "auto") | `0` |
| `usePasswordFile` | Have the secrets mounted as a file instead of env vars | `false` |
| `ldap.enabled` | Enable LDAP support | `false` |
| `ldap.existingSecret` | Name of existing secret to use for LDAP passwords | `nil` |
| `ldap.url` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn[?[attribute][?[scope][?[filter]]]]` | `nil` |
| `ldap.server` | IP address or name of the LDAP server. | `nil` |
| `ldap.port` | Port number on the LDAP server to connect to | `nil` |
| `ldap.scheme` | Set to `ldaps` to use LDAPS. | `nil` |
| `ldap.tls` | Set to `1` to use TLS encryption | `nil` |
| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `nil` |
| `ldap.suffix` | String to append to the user name when forming the DN to bind | `nil` |
| `ldap.search_attr` | Attribute to match agains the user name in the search | `nil` |
| `ldap.search_filter` | The search filter to use when doing search+bind authentication | `nil` |
| `ldap.baseDN` | Root DN to begin the search for the user in | `nil` |
| `ldap.bindDN` | DN of user to bind to LDAP | `nil` |
| `ldap.bind_password` | Password for the user to bind to LDAP | `nil` |
| `replication.enabled` | Enable replication | `false` |
| `replication.user` | Replication user | `repl_user` |
| `replication.password` | Replication user password | `repl_password` |
| `replication.slaveReplicas` | Number of slaves replicas | `1` |
| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` |
| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `replication.slaveReplicas`. | `0` |
| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` |
| `existingSecret` | Name of existing secret to use for PostgreSQL passwords. The secret has to contain the keys `postgresql-postgres-password` which is the password for `postgresqlUsername` when it is different of `postgres`, `postgresql-password` which will override `postgresqlPassword`, `postgresql-replication-password` which will override `replication.password` and `postgresql-ldap-password` which will be sed to authenticate on LDAP. The value is evaluated as a template. | `nil` |
| `postgresqlPostgresPassword` | PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`, in which case`postgres` is the admin username). | _random 10 character alphanumeric string_ |
| `postgresqlUsername` | PostgreSQL user (creates a non-admin user when `postgresqlUsername` is not `postgres`) | `postgres` |
| `postgresqlPassword` | PostgreSQL user password | _random 10 character alphanumeric string_ |
| `postgresqlDatabase` | PostgreSQL database | `nil` |
| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql` (same value as persistence.mountPath) |
| `extraEnv` | Any extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `[]` |
| `extraEnvVarsCM` | Name of a Config Map containing extra environment variables you would like to pass on to the pod. The value is evaluated as a template. | `nil` |
| `postgresqlInitdbArgs` | PostgreSQL initdb extra arguments | `nil` |
| `postgresqlInitdbWalDir` | PostgreSQL location for transaction log | `nil` |
| `postgresqlConfiguration` | Runtime Config Parameters | `nil` |
| `postgresqlExtendedConf` | Extended Runtime Config Parameters (appended to main or default configuration) | `nil` |
| `pgHbaConfiguration` | Content of pg_hba.conf | `nil (do not create pg_hba.conf)` |
| `configurationConfigMap` | ConfigMap with the PostgreSQL configuration files (Note: Overrides `postgresqlConfiguration` and `pgHbaConfiguration`). The value is evaluated as a template. | `nil` |
| `extendedConfConfigMap` | ConfigMap with the extended PostgreSQL configuration files. The value is evaluated as a template. | `nil` |
| `initdbScripts` | Dictionary of initdb scripts | `nil` |
| `initdbUser` | PostgreSQL user to execute the .sql and sql.gz scripts | `nil` |
| `initdbPassword` | Password for the user specified in `initdbUser` | `nil` |
| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`). The value is evaluated as a template. | `nil` |
| `initdbScriptsSecret` | Secret with initdb scripts that contain sensitive information (Note: can be used with `initdbScriptsConfigMap` or `initdbScripts`). The value is evaluated as a template. | `nil` |
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.port` | PostgreSQL port | `5432` |
| `service.nodePort` | Kubernetes Service nodePort | `nil` |
| `service.annotations` | Annotations for PostgreSQL service | `{}` (evaluated as a template) |
| `service.loadBalancerIP` | loadBalancerIP if service type is `LoadBalancer` | `nil` |
| `service.loadBalancerSourceRanges` | Address that are allowed when svc is LoadBalancer | `[]` (evaluated as a template) |
| `schedulerName` | Name of the k8s scheduler (other than default) | `nil` |
| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for master and slave(s) Pod(s) | `true` |
| `shmVolume.chmod.enabled` | Run at init chmod 777 of the /dev/shm (ignored if `volumePermissions.enabled` is `false`) | `true` |
| `persistence.enabled` | Enable persistence using PVC | `true` |
| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim`, the value is evaluated as a template. | `nil` |
| `persistence.mountPath` | Path to mount the volume at | `/bitnami/postgresql` |
| `persistence.subPath` | Subdirectory of the volume to mount at | `""` |
| `persistence.storageClass` | PVC Storage Class for PostgreSQL volume | `nil` |
| `persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `[ReadWriteOnce]` |
| `persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` |
| `persistence.annotations` | Annotations for the PVC | `{}` |
| `commonAnnotations` | Annotations to be added to all deployed resources (rendered as a template) | `{}` |
| `master.nodeSelector` | Node labels for pod assignment (postgresql master) | `{}` |
| `master.affinity` | Affinity labels for pod assignment (postgresql master) | `{}` |
| `master.tolerations` | Toleration labels for pod assignment (postgresql master) | `[]` |
| `master.anotations` | Map of annotations to add to the statefulset (postgresql master) | `{}` |
| `master.labels` | Map of labels to add to the statefulset (postgresql master) | `{}` |
| `master.podAnnotations` | Map of annotations to add to the pods (postgresql master) | `{}` |
| `master.podLabels` | Map of labels to add to the pods (postgresql master) | `{}` |
| `master.priorityClassName` | Priority Class to use for each pod (postgresql master) | `nil` |
| `master.extraInitContainers` | Additional init containers to add to the pods (postgresql master) | `[]` |
| `master.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql master) | `[]` |
| `master.extraVolumes` | Additional volumes to add to the pods (postgresql master) | `[]` |
| `master.sidecars` | Add additional containers to the pod | `[]` |
| `master.service.type` | Allows using a different service type for Master | `nil` |
| `master.service.nodePort` | Allows using a different nodePort for Master | `nil` |
| `master.service.clusterIP` | Allows using a different clusterIP for Master | `nil` |
| `slave.nodeSelector` | Node labels for pod assignment (postgresql slave) | `{}` |
| `slave.affinity` | Affinity labels for pod assignment (postgresql slave) | `{}` |
| `slave.tolerations` | Toleration labels for pod assignment (postgresql slave) | `[]` |
| `slave.anotations` | Map of annotations to add to the statefulsets (postgresql slave) | `{}` |
| `slave.labels` | Map of labels to add to the statefulsets (postgresql slave) | `{}` |
| `slave.podAnnotations` | Map of annotations to add to the pods (postgresql slave) | `{}` |
| `slave.podLabels` | Map of labels to add to the pods (postgresql slave) | `{}` |
| `slave.priorityClassName` | Priority Class to use for each pod (postgresql slave) | `nil` |
| `slave.extraInitContainers` | Additional init containers to add to the pods (postgresql slave) | `[]` |
| `slave.extraVolumeMounts` | Additional volume mounts to add to the pods (postgresql slave) | `[]` |
| `slave.extraVolumes` | Additional volumes to add to the pods (postgresql slave) | `[]` |
| `slave.sidecars` | Add additional containers to the pod | `[]` |
| `slave.service.type` | Allows using a different service type for Slave | `nil` |
| `slave.service.nodePort` | Allows using a different nodePort for Slave | `nil` |
| `slave.service.clusterIP` | Allows using a different clusterIP for Slave | `nil` |
| `terminationGracePeriodSeconds` | Seconds the pod needs to terminate gracefully | `nil` |
| `resources` | CPU/Memory resource requests/limits | Memory: `256Mi`, CPU: `250m` |
| `securityContext.enabled` | Enable security context | `true` |
| `securityContext.fsGroup` | Group ID for the container | `1001` |
| `securityContext.runAsUser` | User ID for the container | `1001` |
| `serviceAccount.enabled` | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set) | `false` |
| `serviceAccount.name` | Name of existing service account | `nil` |
| `livenessProbe.enabled` | Would you like a livenessProbe to be enabled | `true` |
| `networkPolicy.enabled` | Enable NetworkPolicy | `false` |
| `networkPolicy.allowExternal` | Don't require client label for connections | `true` |
| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed | `{}` |
| `livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 |
| `livenessProbe.periodSeconds` | How often to perform the probe | 10 |
| `livenessProbe.timeoutSeconds` | When the probe times out | 5 |
| `livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
| `livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
| `readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` |
| `readinessProbe.initialDelaySeconds` | Delay before readiness probe is initiated | 5 |
| `readinessProbe.periodSeconds` | How often to perform the probe | 10 |
| `readinessProbe.timeoutSeconds` | When the probe times out | 5 |
| `readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
| `readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
| `tls.enabled` | Enable TLS traffic support | `false` |
| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` |
| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `nil` |
| `tls.certFilename` | Certificate filename | `""` |
| `tls.certKeyFilename` | Certificate key filename | `""` |
| `tls.certCAFilename` | CA Certificate filename. If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate. |`nil` |
| `tls.crlFilename` | File containing a Certificate Revocation List |`nil` |
| `metrics.enabled` | Start a prometheus exporter | `false` |
| `metrics.service.type` | Kubernetes Service type | `ClusterIP` |
| `service.clusterIP` | Static clusterIP or None for headless services | `nil` |
| `metrics.service.annotations` | Additional annotations for metrics exporter pod | `{ prometheus.io/scrape: "true", prometheus.io/port: "9187"}` |
| `metrics.service.loadBalancerIP` | loadBalancerIP if redis metrics service type is `LoadBalancer` | `nil` |
| `metrics.serviceMonitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false` |
| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` |
| `metrics.serviceMonitor.namespace` | Optional namespace in which to create ServiceMonitor | `nil` |
| `metrics.serviceMonitor.interval` | Scrape interval. If not set, the Prometheus default scrape interval is used | `nil` |
| `metrics.serviceMonitor.scrapeTimeout` | Scrape timeout. If not set, the Prometheus default scrape timeout is used | `nil` |
| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` |
| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` |
| `metrics.prometheusRule.namespace` | namespace where prometheusRules resource should be created | the same namespace as postgresql |
| `metrics.prometheusRule.rules` | [rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/) to be created, check values for an example. | `[]` |
| `metrics.image.registry` | PostgreSQL Exporter Image registry | `docker.io` |
| `metrics.image.repository` | PostgreSQL Exporter Image name | `bitnami/postgres-exporter` |
| `metrics.image.tag` | PostgreSQL Exporter Image tag | `{TAG_NAME}` |
| `metrics.image.pullPolicy` | PostgreSQL Exporter Image pull policy | `IfNotPresent` |
| `metrics.image.pullSecrets` | Specify Image pull secrets | `nil` (does not add image pull secrets to deployed pods) |
| `metrics.customMetrics` | Additional custom metrics | `nil` |
| `metrics.extraEnvVars` | Extra environment variables to add to exporter | `{}` (evaluated as a template) |
| `metrics.securityContext.enabled` | Enable security context for metrics | `false` |
| `metrics.securityContext.runAsUser` | User ID for the container for metrics | `1001` |
| `metrics.livenessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 30 |
| `metrics.livenessProbe.periodSeconds` | How often to perform the probe | 10 |
| `metrics.livenessProbe.timeoutSeconds` | When the probe times out | 5 |
| `metrics.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
| `metrics.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
| `metrics.readinessProbe.enabled` | would you like a readinessProbe to be enabled | `true` |
| `metrics.readinessProbe.initialDelaySeconds` | Delay before liveness probe is initiated | 5 |
| `metrics.readinessProbe.periodSeconds` | How often to perform the probe | 10 |
| `metrics.readinessProbe.timeoutSeconds` | When the probe times out | 5 |
| `metrics.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | 6 |
| `metrics.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed | 1 |
| `updateStrategy` | Update strategy policy | `{type: "RollingUpdate"}` |
| `psp.create` | Create Pod Security Policy | `false` |
| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
$ helm install my-release \
--set postgresqlPassword=secretpassword,postgresqlDatabase=my-database \
bitnami/postgresql
```
The above command sets the PostgreSQL `postgres` account password to `secretpassword`. Additionally it creates a database named `my-database`.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```console
$ helm install my-release -f values.yaml bitnami/postgresql
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## Configuration and installation details
### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
### Production configuration and horizontal scaling
This chart includes a `values-production.yaml` file where you can find some parameters oriented to production configuration in comparison to the regular `values.yaml`. You can use this file instead of the default one.
- Enable replication:
```diff
- replication.enabled: false
+ replication.enabled: true
```
- Number of slaves replicas:
```diff
- replication.slaveReplicas: 1
+ replication.slaveReplicas: 2
```
- Set synchronous commit mode:
```diff
- replication.synchronousCommit: "off"
+ replication.synchronousCommit: "on"
```
- Number of replicas that will have synchronous replication:
```diff
- replication.numSynchronousReplicas: 0
+ replication.numSynchronousReplicas: 1
```
- Start a prometheus exporter:
```diff
- metrics.enabled: false
+ metrics.enabled: true
```
To horizontally scale this chart, you can use the `--replicas` flag to modify the number of nodes in your PostgreSQL deployment. Also you can use the `values-production.yaml` file or modify the parameters shown above.
### Customizing Master and Slave services in a replicated configuration
At the top level, there is a service object which defines the services for both master and slave. For deeper customization, there are service objects for both the master and slave types individually. This allows you to override the values in the top level service object so that the master and slave can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the master and slave to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the master.service or slave.service objects will take precedence over the top level service object.
### Change PostgreSQL version
To modify the PostgreSQL version used in this chart you can specify a [valid image tag](https://hub.docker.com/r/bitnami/postgresql/tags/) using the `image.tag` parameter. For example, `image.tag=X.Y.Z`. This approach is also applicable to other images like exporters.
### postgresql.conf / pg_hba.conf files as configMap
This helm chart also supports to customize the whole configuration file.
Add your custom file to "files/postgresql.conf" in your working directory. This file will be mounted as configMap to the containers and it will be used for configuring the PostgreSQL server.
Alternatively, you can specify PostgreSQL configuration parameters using the `postgresqlConfiguration` parameter as a dict, using camelCase, e.g. {"sharedBuffers": "500MB"}.
In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `configurationConfigMap` parameter. Note that this will override the two previous options.
### Allow settings to be loaded from files other than the default `postgresql.conf`
If you don't want to provide the whole PostgreSQL configuration file and only specify certain parameters, you can add your extended `.conf` files to "files/conf.d/" in your working directory.
Those files will be mounted as configMap to the containers adding/overwriting the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`.
Alternatively, you can also set an external ConfigMap with all the extra configuration files. This is done by setting the `extendedConfConfigMap` parameter. Note that this will override the previous option.
### Initialize a fresh instance
The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, they must be located inside the chart folder `files/docker-entrypoint-initdb.d` so they can be consumed as a ConfigMap.
Alternatively, you can specify custom scripts using the `initdbScripts` parameter as dict.
In addition to these options, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `initdbScriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `initdbScriptsSecret` parameter.
The allowed extensions are `.sh`, `.sql` and `.sql.gz`.
### Securing traffic using TLS
TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart:
- `tls.enabled`: Enable TLS support. Defaults to `false`
- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults.
- `tls.certFilename`: Certificate filename. No defaults.
- `tls.certKeyFilename`: Certificate key filename. No defaults.
For example:
* First, create the secret with the cetificates files:
```console
kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt
```
* Then, use the following parameters:
```console
volumePermissions.enabled=true
tls.enabled=true
tls.certificatesSecret="certificates-tls-secret"
tls.certFilename="cert.crt"
tls.certKeyFilename="cert.key"
```
> Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `securityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected.
### Sidecars
If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec.
```yaml
# For the PostgreSQL master
master:
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
# For the PostgreSQL replicas
slave:
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
```
### Metrics
The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml).
The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details.
### Use of global variables
In more complex scenarios, we may have the following tree of dependencies
```
+--------------+
| |
+------------+ Chart 1 +-----------+
| | | |
| --------+------+ |
| | |
| | |
| | |
| | |
v v v
+-------+------+ +--------+------+ +--------+------+
| | | | | |
| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 |
| | | | | |
+--------------+ +---------------+ +---------------+
```
The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters:
```
postgresql.postgresqlPassword=testtest
subchart1.postgresql.postgresqlPassword=testtest
subchart2.postgresql.postgresqlPassword=testtest
postgresql.postgresqlDatabase=db1
subchart1.postgresql.postgresqlDatabase=db1
subchart2.postgresql.postgresqlDatabase=db1
```
If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows:
```
global.postgresql.postgresqlPassword=testtest
global.postgresql.postgresqlDatabase=db1
```
This way, the credentials will be available in all of the subcharts.
## Persistence
The [Bitnami PostgreSQL](https://github.com/bitnami/bitnami-docker-postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container.
Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube.
See the [Parameters](#parameters) section to configure the PVC or to disable persistence.
If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to [code](https://github.com/bitnami/bitnami-docker-postgresql/blob/8725fe1d7d30ebe8d9a16e9175d05f7ad9260c93/9.6/debian-9/rootfs/libpostgresql.sh#L518-L556). If you need to use those data, please covert them to sql and import after `helm install` finished.
## NetworkPolicy
To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`.
For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace:
```console
$ kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
```
With NetworkPolicy enabled, traffic will be limited to just port 5432.
For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL.
This label will be displayed in the output of a successful install.
## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image
- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image.
- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift.
- For OpenShift, one may either define the runAsUser and fsGroup accordingly, or try this more dynamic option: volumePermissions.securityContext.runAsUser="auto",securityContext.enabled=false,shmVolume.chmod.enabled=false
### Deploy chart using Docker Official PostgreSQL Image
From chart version 4.0.0, it is possible to use this chart with the Docker Official PostgreSQL image.
Besides specifying the new Docker repository and tag, it is important to modify the PostgreSQL data directory and volume mount point. Basically, the PostgreSQL data dir cannot be the mount point directly, it has to be a subdirectory.
```
image.repository=postgres
image.tag=10.6
postgresqlDataDir=/data/pgdata
persistence.mountPath=/data/
```
## Upgrade
It's necessary to specify the existing passwords while performing an upgrade to ensure the secrets are not updated with invalid randomly generated passwords. Remember to specify the existing values of the `postgresqlPassword` and `replication.password` parameters when upgrading the chart:
```bash
$ helm upgrade my-release stable/postgresql \
--set postgresqlPassword=[POSTGRESQL_PASSWORD] \
--set replication.password=[REPLICATION_PASSWORD]
```
> Note: you need to substitute the placeholders _[POSTGRESQL_PASSWORD]_, and _[REPLICATION_PASSWORD]_ with the values obtained from instructions in the installation notes.
## 8.0.0
Prefixes the port names with their protocols to comply with Istio conventions.
If you depend on the port names in your setup, make sure to update them to reflect this change.
## 7.1.0
Adds support for LDAP configuration.
## 7.0.0
Helm performs a lookup for the object based on its group (apps), version (v1), and kind (Deployment). Also known as its GroupVersionKind, or GVK. Changing the GVK is considered a compatibility breaker from Kubernetes' point of view, so you cannot "upgrade" those objects to the new GVK in-place. Earlier versions of Helm 3 did not perform the lookup correctly which has since been fixed to match the spec.
In https://github.com/helm/charts/pull/17281 the `apiVersion` of the statefulset resources was updated to `apps/v1` in tune with the api's deprecated, resulting in compatibility breakage.
This major version bump signifies this change.
## 6.5.7
In this version, the chart will use PostgreSQL with the Postgis extension included. The version used with Postgresql version 10, 11 and 12 is Postgis 2.5. It has been compiled with the following dependencies:
- protobuf
- protobuf-c
- json-c
- geos
- proj
## 5.0.0
In this version, the **chart is using PostgreSQL 11 instead of PostgreSQL 10**. You can find the main difference and notable changes in the following links: [https://www.postgresql.org/about/news/1894/](https://www.postgresql.org/about/news/1894/) and [https://www.postgresql.org/about/featurematrix/](https://www.postgresql.org/about/featurematrix/).
For major releases of PostgreSQL, the internal data storage format is subject to change, thus complicating upgrades, you can see some errors like the following one in the logs:
```console
Welcome to the Bitnami postgresql container
Subscribe to project updates by watching https://github.com/bitnami/bitnami-docker-postgresql
Submit issues and feature requests at https://github.com/bitnami/bitnami-docker-postgresql/issues
Send us your feedback at containers@bitnami.com
INFO ==> ** Starting PostgreSQL setup **
NFO ==> Validating settings in POSTGRESQL_* env vars..
INFO ==> Initializing PostgreSQL database...
INFO ==> postgresql.conf file not detected. Generating it...
INFO ==> pg_hba.conf file not detected. Generating it...
INFO ==> Deploying PostgreSQL with persisted data...
INFO ==> Configuring replication parameters
INFO ==> Loading custom scripts...
INFO ==> Enabling remote connections
INFO ==> Stopping PostgreSQL...
INFO ==> ** PostgreSQL setup finished! **
INFO ==> ** Starting PostgreSQL **
[1] FATAL: database files are incompatible with server
[1] DETAIL: The data directory was initialized by PostgreSQL version 10, which is not compatible with this version 11.3.
```
In this case, you should migrate the data from the old chart to the new one following an approach similar to that described in [this section](https://www.postgresql.org/docs/current/upgrading.html#UPGRADING-VIA-PGDUMPALL) from the official documentation. Basically, create a database dump in the old chart, move and restore it in the new one.
### 4.0.0
This chart will use by default the Bitnami PostgreSQL container starting from version `10.7.0-r68`. This version moves the initialization logic from node.js to bash. This new version of the chart requires setting the `POSTGRES_PASSWORD` in the slaves as well, in order to properly configure the `pg_hba.conf` file. Users from previous versions of the chart are advised to upgrade immediately.
IMPORTANT: If you do not want to upgrade the chart version then make sure you use the `10.7.0-r68` version of the container. Otherwise, you will get this error
```
The POSTGRESQL_PASSWORD environment variable is empty or not set. Set the environment variable ALLOW_EMPTY_PASSWORD=yes to allow the container to be started with blank passwords. This is recommended only for development
```
### 3.0.0
This releases make it possible to specify different nodeSelector, affinity and tolerations for master and slave pods.
It also fixes an issue with `postgresql.master.fullname` helper template not obeying fullnameOverride.
#### Breaking changes
- `affinty` has been renamed to `master.affinity` and `slave.affinity`.
- `tolerations` has been renamed to `master.tolerations` and `slave.tolerations`.
- `nodeSelector` has been renamed to `master.nodeSelector` and `slave.nodeSelector`.
### 2.0.0
In order to upgrade from the `0.X.X` branch to `1.X.X`, you should follow the below steps:
- Obtain the service name (`SERVICE_NAME`) and password (`OLD_PASSWORD`) of the existing postgresql chart. You can find the instructions to obtain the password in the NOTES.txt, the service name can be obtained by running
```console
$ kubectl get svc
```
- Install (not upgrade) the new version
```console
$ helm repo update
$ helm install my-release bitnami/postgresql
```
- Connect to the new pod (you can obtain the name by running `kubectl get pods`):
```console
$ kubectl exec -it NAME bash
```
- Once logged in, create a dump file from the previous database using `pg_dump`, for that we should connect to the previous postgresql chart:
```console
$ pg_dump -h SERVICE_NAME -U postgres DATABASE_NAME > /tmp/backup.sql
```
After run above command you should be prompted for a password, this password is the previous chart password (`OLD_PASSWORD`).
This operation could take some time depending on the database size.
- Once you have the backup file, you can restore it with a command like the one below:
```console
$ psql -U postgres DATABASE_NAME < /tmp/backup.sql
```
In this case, you are accessing to the local postgresql, so the password should be the new one (you can find it in NOTES.txt).
If you want to restore the database and the database schema does not exist, it is necessary to first follow the steps described below.
```console
$ psql -U postgres
postgres=# drop database DATABASE_NAME;
postgres=# create database DATABASE_NAME;
postgres=# create user USER_NAME;
postgres=# alter role USER_NAME with password 'BITNAMI_USER_PASSWORD';
postgres=# grant all privileges on database DATABASE_NAME to USER_NAME;
postgres=# alter database DATABASE_NAME owner to USER_NAME;
```

22
roles/cmoa_install/files/04-keycloak/charts/postgresql/charts/common/.helmignore Normal file
View File

@@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

19
roles/cmoa_install/files/04-keycloak/charts/postgresql/charts/common/Chart.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
appVersion: 0.3.1
description: A Library Helm Chart for grouping common logic between bitnami charts.
This chart is not deployable by itself.
home: http://www.bitnami.com/
icon: https://bitnami.com/downloads/logos/bitnami-mark.png
keywords:
- common
- helper
- template
- function
- bitnami
maintainers:
- email: containers@bitnami.com
name: Bitnami
name: common
sources:
- https://github.com/bitnami/charts
version: 0.3.1

228
roles/cmoa_install/files/04-keycloak/charts/postgresql/charts/common/README.md Normal file
View File

@@ -0,0 +1,228 @@
# Bitnami Common Library Chart
A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts.
## TL;DR;
```yaml
dependencies:
- name: common
version: 0.1.0
repository: https://charts.bitnami.com/bitnami
```
```bash
$ helm dependency update
```
```yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "common.names.fullname" . }}
data:
myvalue: "Hello World"
```
## Introduction
This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
Bitnami charts can be used with [Kubeapps](https://kubeapps.com/) for deployment and management of Helm Charts in clusters. This Helm chart has been tested on top of [Bitnami Kubernetes Production Runtime](https://kubeprod.io/) (BKPR). Deploy BKPR to get automated TLS certificates, logging and monitoring for your applications.
## Prerequisites
- Kubernetes 1.12+
- Helm 2.12+ or Helm 3.0-beta3+
## Parameters
The following table lists the helpers available in the library which are scoped in different sections.
**Names**
| Helper identifier | Description | Expected Input |
|---------------------------------------------|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context |
| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context |
| `common.names.chart` | Chart name plus version | `.` Chart context |
**Images**
| Helper identifier | Description | Expected Input |
|---------------------------------------------|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. |
| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" $` |
**Labels**
| Helper identifier | Description | Expected Input |
|---------------------------------------------|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context |
| `common.labels.matchLabels` | Return the proper Docker Image Registry Secret Names | `.` Chart context |
**Storage**
| Helper identifier | Description | Expected Input |
|---------------------------------------------|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. |
**TplValues**
| Helper identifier | Description | Expected Input |
|---------------------------------------------|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frecuently is the chart context `$` or `.` |
**Capabilities**
| Helper identifier | Description | Expected Input |
|---------------------------------------------|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context |
| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context |
**Warnings**
| Helper identifier | Description | Expected Input |
|---------------------------------------------|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. |
**Secrets**
| Helper identifier | Description | Expected Input |
|---------------------------------------------|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. |
| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. |
## Special input schemas
### ImageRoot
```yaml
registry:
type: string
description: Docker registry where the image is located
example: docker.io
repository:
type: string
description: Repository and image name
example: bitnami/nginx
tag:
type: string
description: image tag
example: 1.16.1-debian-10-r63
pullPolicy:
type: string
description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
pullSecrets:
type: array
items:
type: string
description: Optionally specify an array of imagePullSecrets.
debug:
type: boolean
description: Set to true if you would like to see extra information on logs
example: false
## An instance would be:
# registry: docker.io
# repository: bitnami/nginx
# tag: 1.16.1-debian-10-r63
# pullPolicy: IfNotPresent
# debug: false
```
### Persistence
```yaml
enabled:
type: boolean
description: Whether enable persistence.
example: true
storageClass:
type: string
description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning.
example: "-"
accessMode:
type: string
description: Access mode for the Persistent Volume Storage.
example: ReadWriteOnce
size:
type: string
description: Size the Persistent Volume Storage.
example: 8Gi
path:
type: string
description: Path to be persisted.
example: /bitnami
## An instance would be:
# enabled: true
# storageClass: "-"
# accessMode: ReadWriteOnce
# size: 8Gi
# path: /bitnami
```
### ExistingSecret
```yaml
name:
type: string
description: Name of the existing secret.
example: mySecret
keyMapping:
description: Mapping between the expected key name and the name of the key in the existing secret.
type: object
## An instance would be:
# name: mySecret
# keyMapping:
# password: myPasswordKey
```
**Example of use**
When we store sensitive data for a deployment in a secret, some times we want to give to users the possiblity of using theirs existing secrets.
```yaml
# templates/secret.yaml
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}
labels:
app: {{ include "common.names.fullname" . }}
type: Opaque
data:
password: {{ .Values.password | b64enc | quote }}
# templates/dpl.yaml
---
...
env:
- name: PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }}
...
# values.yaml
---
name: mySecret
keyMapping:
password: myPasswordKey
```
## Notable changes
N/A

22
roles/cmoa_install/files/04-keycloak/charts/postgresql/charts/common/templates/_capabilities.tpl Normal file
View File

@@ -0,0 +1,22 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the appropriate apiVersion for deployment.
*/}}
{{- define "common.capabilities.deployment.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for ingress.
*/}}
{{- define "common.capabilities.ingress.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- end -}}
{{- end -}}

44
roles/cmoa_install/files/04-keycloak/charts/postgresql/charts/common/templates/_images.tpl Normal file
View File

@@ -0,0 +1,44 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper image name
{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }}
*/}}
{{- define "common.images.image" -}}
{{- $registryName := .imageRoot.registry -}}
{{- $repositoryName := .imageRoot.repository -}}
{{- $tag := .imageRoot.tag | toString -}}
{{- if .global }}
{{- if .global.imageRegistry }}
{{- $registryName = .global.imageRegistry -}}
{{- end -}}
{{- end -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" $) }}
*/}}
{{- define "common.images.pullSecrets" -}}
{{- if .global }}
{{- if .global.imagePullSecrets }}
imagePullSecrets:
{{- range .global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- else }}
{{- $pullSecrets := list }}
{{- range .images }}
{{- if .pullSecrets }}
{{- $pullSecrets = append $pullSecrets .pullSecrets }}
{{- end }}
{{- end }}
{{- if $pullSecrets }}
imagePullSecrets:
{{- range $pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}

18
roles/cmoa_install/files/04-keycloak/charts/postgresql/charts/common/templates/_labels.tpl Normal file
View File

@@ -0,0 +1,18 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Kubernetes standard labels
*/}}
{{- define "common.labels.standard" -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
helm.sh/chart: {{ include "common.names.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
*/}}
{{- define "common.labels.matchLabels" -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}

32
roles/cmoa_install/files/04-keycloak/charts/postgresql/charts/common/templates/_names.tpl Normal file
View File

@@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "common.names.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "common.names.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "common.names.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}

49
roles/cmoa_install/files/04-keycloak/charts/postgresql/charts/common/templates/_secrets.tpl Normal file
View File

@@ -0,0 +1,49 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Generate secret name.
Usage:
{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }}
Params:
- existingSecret - ExistingSecret - Optional. The path to the existing secrets in the values.yaml given by the user
to be used istead of the default one. +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret
- defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment.
- context - Dict - Required. The context for the template evaluation.
*/}}
{{- define "common.secrets.name" -}}
{{- $name := (include "common.names.fullname" .context) -}}
{{- if .defaultNameSuffix -}}
{{- $name = cat $name .defaultNameSuffix -}}
{{- end -}}
{{- with .existingSecret -}}
{{- $name = .name -}}
{{- end -}}
{{- printf "%s" $name -}}
{{- end -}}
{{/*
Generate secret key.
Usage:
{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }}
Params:
- existingSecret - ExistingSecret - Optional. The path to the existing secrets in the values.yaml given by the user
to be used istead of the default one. +info: https://github.com/bitnami/charts/tree/master/bitnami/common#existingsecret
- key - String - Required. Name of the key in the secret.
*/}}
{{- define "common.secrets.key" -}}
{{- $key := .key -}}
{{- if .existingSecret -}}
{{- if .existingSecret.keyMapping -}}
{{- $key = index .existingSecret.keyMapping $.key -}}
{{- end -}}
{{- end -}}
{{- printf "%s" $key -}}
{{- end -}}

23
roles/cmoa_install/files/04-keycloak/charts/postgresql/charts/common/templates/_storage.tpl Normal file
View File

@@ -0,0 +1,23 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper Storage Class
{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }}
*/}}
{{- define "common.storage.class" -}}
{{- $storageClass := .persistence.storageClass -}}
{{- if .global -}}
{{- if .global.storageClass -}}
{{- $storageClass = .global.storageClass -}}
{{- end -}}
{{- end -}}
{{- if $storageClass -}}
{{- if (eq "-" $storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" $storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}

13
roles/cmoa_install/files/04-keycloak/charts/postgresql/charts/common/templates/_tplvalues.tpl Normal file
View File

@@ -0,0 +1,13 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Renders a value that contains template.
Usage:
{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "common.tplvalues.render" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}

14
roles/cmoa_install/files/04-keycloak/charts/postgresql/charts/common/templates/_warnings.tpl Normal file
View File

@@ -0,0 +1,14 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Warning about using rolling tag.
Usage:
{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }}
*/}}
{{- define "common.warnings.rollingTag" -}}
{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
{{- end }}
{{- end -}}

3
roles/cmoa_install/files/04-keycloak/charts/postgresql/charts/common/values.yaml Normal file
View File

@@ -0,0 +1,3 @@
## bitnami/common
## It is required by CI/CD tools and processes.
exampleValue: common-chart

4
roles/cmoa_install/files/04-keycloak/charts/postgresql/ci/commonAnnotations.yaml Normal file
View File

@@ -0,0 +1,4 @@
commonAnnotations:
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-weight: "-1"

1
roles/cmoa_install/files/04-keycloak/charts/postgresql/ci/default-values.yaml Normal file
View File

@@ -0,0 +1 @@
# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml.

2
roles/cmoa_install/files/04-keycloak/charts/postgresql/ci/shmvolume-disabled-values.yaml Normal file
View File

@@ -0,0 +1,2 @@
shmVolume:
enabled: false

1
roles/cmoa_install/files/04-keycloak/charts/postgresql/files/README.md Normal file
View File

@@ -0,0 +1 @@
Copy here your postgresql.conf and/or pg_hba.conf files to use it as a config map.

4
roles/cmoa_install/files/04-keycloak/charts/postgresql/files/conf.d/README.md Normal file
View File

@@ -0,0 +1,4 @@
If you don't want to provide the whole configuration file and only specify certain parameters, you can copy here your extended `.conf` files.
These files will be injected as a config maps and add/overwrite the default configuration using the `include_dir` directive that allows settings to be loaded from files other than the default `postgresql.conf`.
More info in the [bitnami-docker-postgresql README](https://github.com/bitnami/bitnami-docker-postgresql#configuration-file).

3
roles/cmoa_install/files/04-keycloak/charts/postgresql/files/docker-entrypoint-initdb.d/README.md Normal file
View File

@@ -0,0 +1,3 @@
You can copy here your custom `.sh`, `.sql` or `.sql.gz` file so they are executed during the first boot of the image.
More info in the [bitnami-docker-postgresql](https://github.com/bitnami/bitnami-docker-postgresql#initializing-a-new-instance) repository.

6
roles/cmoa_install/files/04-keycloak/charts/postgresql/requirements.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
version: 0.3.1
digest: sha256:740783295d301fdd168fafdbaa760de27ab54b0ff36b513589a5a2515072b885
generated: "2020-07-15T00:56:02.067804177Z"

4
roles/cmoa_install/files/04-keycloak/charts/postgresql/requirements.yaml Normal file
View File

@@ -0,0 +1,4 @@
dependencies:
- name: common
version: 0.x.x
repository: https://charts.bitnami.com/bitnami

54
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,54 @@
** Please be patient while the chart is being deployed **
PostgreSQL can be accessed via port {{ template "postgresql.port" . }} on the following DNS name from within your cluster:
{{ template "postgresql.fullname" . }}.imxc.svc.cluster.local - Read/Write connection
{{- if .Values.replication.enabled }}
{{ template "postgresql.fullname" . }}-read.imxc.svc.cluster.local - Read only connection
{{- end }}
{{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
To get the password for "postgres" run:
export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace imxc {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-postgres-password}" | base64 --decode)
{{- end }}
To get the password for "{{ template "postgresql.username" . }}" run:
export POSTGRES_PASSWORD=$(kubectl get secret --namespace imxc {{ template "postgresql.secretName" . }} -o jsonpath="{.data.postgresql-password}" | base64 --decode)
To connect to your database run the following command:
kubectl run {{ template "postgresql.fullname" . }}-client --rm --tty -i --restart='Never' --namespace imxc --image {{ template "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}
--labels="{{ template "postgresql.fullname" . }}-client=true" {{- end }} --command -- psql --host {{ template "postgresql.fullname" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.port" . }}
{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}
Note: Since NetworkPolicy is enabled, only pods with label {{ template "postgresql.fullname" . }}-client=true" will be able to connect to this PostgreSQL cluster.
{{- end }}
To connect to your database from outside the cluster execute the following commands:
{{- if contains "NodePort" .Values.service.type }}
export NODE_IP=$(kubectl get nodes --namespace imxc -o jsonpath="{.items[0].status.addresses[0].address}")
export NODE_PORT=$(kubectl get --namespace imxc -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "postgresql.fullname" . }})
{{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $NODE_IP --port $NODE_PORT -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }}
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
Watch the status with: 'kubectl get svc --namespace imxc -w {{ template "postgresql.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace imxc {{ template "postgresql.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
{{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host $SERVICE_IP --port {{ template "postgresql.port" . }} -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }}
{{- else if contains "ClusterIP" .Values.service.type }}
kubectl port-forward --namespace imxc svc/{{ template "postgresql.fullname" . }} {{ template "postgresql.port" . }}:{{ template "postgresql.port" . }} &
{{ if (include "postgresql.password" . ) }}PGPASSWORD="$POSTGRES_PASSWORD" {{ end }}psql --host 127.0.0.1 -U {{ .Values.postgresqlUsername }} -d {{- if .Values.postgresqlDatabase }} {{ .Values.postgresqlDatabase }}{{- else }} postgres{{- end }} -p {{ template "postgresql.port" . }}
{{- end }}
{{- include "postgresql.validateValues" . -}}

494
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,494 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "postgresql.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "postgresql.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "postgresql.master.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- $fullname := default (printf "%s-%s" .Release.Name $name) .Values.fullnameOverride -}}
{{- if .Values.replication.enabled -}}
{{- printf "%s-%s" $fullname "master" | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s" $fullname | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for networkpolicy.
*/}}
{{- define "postgresql.networkPolicy.apiVersion" -}}
{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}}
"extensions/v1beta1"
{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion -}}
"networking.k8s.io/v1"
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "postgresql.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the proper PostgreSQL image name
*/}}
{{- define "postgresql.image" -}}
{{- $registryName := .Values.image.registry -}}
{{- $repositoryName := .Values.image.repository -}}
{{- $tag := .Values.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return PostgreSQL postgres user password
*/}}
{{- define "postgresql.postgres.password" -}}
{{- if .Values.global.postgresql.postgresqlPostgresPassword }}
{{- .Values.global.postgresql.postgresqlPostgresPassword -}}
{{- else if .Values.postgresqlPostgresPassword -}}
{{- .Values.postgresqlPostgresPassword -}}
{{- else -}}
{{- randAlphaNum 10 -}}
{{- end -}}
{{- end -}}
{{/*
Return PostgreSQL password
*/}}
{{- define "postgresql.password" -}}
{{- if .Values.global.postgresql.postgresqlPassword }}
{{- .Values.global.postgresql.postgresqlPassword -}}
{{- else if .Values.postgresqlPassword -}}
{{- .Values.postgresqlPassword -}}
{{- else -}}
{{- randAlphaNum 10 -}}
{{- end -}}
{{- end -}}
{{/*
Return PostgreSQL replication password
*/}}
{{- define "postgresql.replication.password" -}}
{{- if .Values.global.postgresql.replicationPassword }}
{{- .Values.global.postgresql.replicationPassword -}}
{{- else if .Values.replication.password -}}
{{- .Values.replication.password -}}
{{- else -}}
{{- randAlphaNum 10 -}}
{{- end -}}
{{- end -}}
{{/*
Return PostgreSQL username
*/}}
{{- define "postgresql.username" -}}
{{- if .Values.global.postgresql.postgresqlUsername }}
{{- .Values.global.postgresql.postgresqlUsername -}}
{{- else -}}
{{- .Values.postgresqlUsername -}}
{{- end -}}
{{- end -}}
{{/*
Return PostgreSQL replication username
*/}}
{{- define "postgresql.replication.username" -}}
{{- if .Values.global.postgresql.replicationUser }}
{{- .Values.global.postgresql.replicationUser -}}
{{- else -}}
{{- .Values.replication.user -}}
{{- end -}}
{{- end -}}
{{/*
Return PostgreSQL port
*/}}
{{- define "postgresql.port" -}}
{{- if .Values.global.postgresql.servicePort }}
{{- .Values.global.postgresql.servicePort -}}
{{- else -}}
{{- .Values.service.port -}}
{{- end -}}
{{- end -}}
{{/*
Return PostgreSQL created database
*/}}
{{- define "postgresql.database" -}}
{{- if .Values.global.postgresql.postgresqlDatabase }}
{{- .Values.global.postgresql.postgresqlDatabase -}}
{{- else if .Values.postgresqlDatabase -}}
{{- .Values.postgresqlDatabase -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper image name to change the volume permissions
*/}}
{{- define "postgresql.volumePermissions.image" -}}
{{- $registryName := .Values.volumePermissions.image.registry -}}
{{- $repositoryName := .Values.volumePermissions.image.repository -}}
{{- $tag := .Values.volumePermissions.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper PostgreSQL metrics image name
*/}}
{{- define "postgresql.metrics.image" -}}
{{- $registryName := default "docker.io" .Values.metrics.image.registry -}}
{{- $repositoryName := .Values.metrics.image.repository -}}
{{- $tag := default "latest" .Values.metrics.image.tag | toString -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic.
Also, we can't use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imageRegistry }}
{{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- else -}}
{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
{{- end -}}
{{- end -}}
{{/*
Get the password secret.
*/}}
{{- define "postgresql.secretName" -}}
{{- if .Values.global.postgresql.existingSecret }}
{{- printf "%s" (tpl .Values.global.postgresql.existingSecret $) -}}
{{- else if .Values.existingSecret -}}
{{- printf "%s" (tpl .Values.existingSecret $) -}}
{{- else -}}
{{- printf "%s" (include "postgresql.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a secret object should be created
*/}}
{{- define "postgresql.createSecret" -}}
{{- if .Values.global.postgresql.existingSecret }}
{{- else if .Values.existingSecret -}}
{{- else -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Get the configuration ConfigMap name.
*/}}
{{- define "postgresql.configurationCM" -}}
{{- if .Values.configurationConfigMap -}}
{{- printf "%s" (tpl .Values.configurationConfigMap $) -}}
{{- else -}}
{{- printf "%s-configuration" (include "postgresql.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Get the extended configuration ConfigMap name.
*/}}
{{- define "postgresql.extendedConfigurationCM" -}}
{{- if .Values.extendedConfConfigMap -}}
{{- printf "%s" (tpl .Values.extendedConfConfigMap $) -}}
{{- else -}}
{{- printf "%s-extended-configuration" (include "postgresql.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a configmap should be mounted with PostgreSQL configuration
*/}}
{{- define "postgresql.mountConfigurationCM" -}}
{{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Get the initialization scripts ConfigMap name.
*/}}
{{- define "postgresql.initdbScriptsCM" -}}
{{- if .Values.initdbScriptsConfigMap -}}
{{- printf "%s" (tpl .Values.initdbScriptsConfigMap $) -}}
{{- else -}}
{{- printf "%s-init-scripts" (include "postgresql.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Get the initialization scripts Secret name.
*/}}
{{- define "postgresql.initdbScriptsSecret" -}}
{{- printf "%s" (tpl .Values.initdbScriptsSecret $) -}}
{{- end -}}
{{/*
Get the metrics ConfigMap name.
*/}}
{{- define "postgresql.metricsCM" -}}
{{- printf "%s-metrics" (include "postgresql.fullname" .) -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "postgresql.imagePullSecrets" -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
Also, we can not use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.volumePermissions.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.metrics.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.volumePermissions.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}
{{- else if or .Values.image.pullSecrets .Values.metrics.image.pullSecrets .Values.volumePermissions.image.pullSecrets }}
imagePullSecrets:
{{- range .Values.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.metrics.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- range .Values.volumePermissions.image.pullSecrets }}
- name: {{ . }}
{{- end }}
{{- end -}}
{{- end -}}
{{/*
Get the readiness probe command
*/}}
{{- define "postgresql.readinessProbeCommand" -}}
- |
{{- if (include "postgresql.database" .) }}
exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- else }}
exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- end }}
{{- if contains "bitnami/" .Values.image.repository }}
[ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
{{- end -}}
{{- end -}}
{{/*
Return the proper Storage Class
*/}}
{{- define "postgresql.storageClass" -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
*/}}
{{- if .Values.global -}}
{{- if .Values.global.storageClass -}}
{{- if (eq "-" .Values.global.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.global.storageClass -}}
{{- end -}}
{{- else -}}
{{- if .Values.persistence.storageClass -}}
{{- if (eq "-" .Values.persistence.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.persistence.storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- else -}}
{{- if .Values.persistence.storageClass -}}
{{- if (eq "-" .Values.persistence.storageClass) -}}
{{- printf "storageClassName: \"\"" -}}
{{- else }}
{{- printf "storageClassName: %s" .Values.persistence.storageClass -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Renders a value that contains template.
Usage:
{{ include "postgresql.tplValue" ( dict "value" .Values.path.to.the.Value "context" $) }}
*/}}
{{- define "postgresql.tplValue" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{- else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}
{{/*
Return the appropriate apiVersion for statefulset.
*/}}
{{- define "postgresql.statefulset.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "apps/v1beta2" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Compile all warnings into a single message, and call fail.
*/}}
{{- define "postgresql.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}}
{{- $messages := append $messages (include "postgresql.validateValues.psp" .) -}}
{{- $messages := append $messages (include "postgresql.validateValues.tls" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
{{- end -}}
{{- end -}}
{{/*
Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap
*/}}
{{- define "postgresql.validateValues.ldapConfigurationMethod" -}}
{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) }}
postgresql: ldap.url, ldap.server
You cannot set both `ldap.url` and `ldap.server` at the same time.
Please provide a unique way to configure LDAP.
More info at https://www.postgresql.org/docs/current/auth-ldap.html
{{- end -}}
{{- end -}}
{{/*
Validate values of Postgresql - If PSP is enabled RBAC should be enabled too
*/}}
{{- define "postgresql.validateValues.psp" -}}
{{- if and .Values.psp.create (not .Values.rbac.create) }}
postgresql: psp.create, rbac.create
RBAC should be enabled if PSP is enabled in order for PSP to work.
More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for podsecuritypolicy.
*/}}
{{- define "podsecuritypolicy.apiVersion" -}}
{{- if semverCompare "<1.10-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else -}}
{{- print "policy/v1beta1" -}}
{{- end -}}
{{- end -}}
{{/*
Validate values of Postgresql TLS - When TLS is enabled, so must be VolumePermissions
*/}}
{{- define "postgresql.validateValues.tls" -}}
{{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }}
postgresql: tls.enabled, volumePermissions.enabled
When TLS is enabled you must enable volumePermissions as well to ensure certificates files have
the right permissions.
{{- end -}}
{{- end -}}
{{/*
Return the path to the cert file.
*/}}
{{- define "postgresql.tlsCert" -}}
{{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
{{- end -}}
{{/*
Return the path to the cert key file.
*/}}
{{- define "postgresql.tlsCertKey" -}}
{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}}
{{- end -}}
{{/*
Return the path to the CA cert file.
*/}}
{{- define "postgresql.tlsCACert" -}}
{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}}
{{- end -}}
{{/*
Return the path to the CRL file.
*/}}
{{- define "postgresql.tlsCRL" -}}
{{- if .Values.tls.crlFilename -}}
{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}}
{{- end -}}
{{- end -}}

26
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{ if and (or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration) (not .Values.configurationConfigMap) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "postgresql.fullname" . }}-configuration
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
{{- if (.Files.Glob "files/postgresql.conf") }}
{{ (.Files.Glob "files/postgresql.conf").AsConfig | indent 2 }}
{{- else if .Values.postgresqlConfiguration }}
postgresql.conf: |
{{- range $key, $value := default dict .Values.postgresqlConfiguration }}
{{ $key | snakecase }}={{ $value }}
{{- end }}
{{- end }}
{{- if (.Files.Glob "files/pg_hba.conf") }}
{{ (.Files.Glob "files/pg_hba.conf").AsConfig | indent 2 }}
{{- else if .Values.pgHbaConfiguration }}
pg_hba.conf: |
{{ .Values.pgHbaConfiguration | indent 4 }}
{{- end }}
{{ end }}

21
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/extended-config-configmap.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if and (or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf) (not .Values.extendedConfConfigMap)}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "postgresql.fullname" . }}-extended-configuration
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
{{- with .Files.Glob "files/conf.d/*.conf" }}
{{ .AsConfig | indent 2 }}
{{- end }}
{{ with .Values.postgresqlExtendedConf }}
override.conf: |
{{- range $key, $value := . }}
{{ $key | snakecase }}={{ $value }}
{{- end }}
{{- end }}
{{- end }}

24
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/initialization-configmap.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{- if and (or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScripts) (not .Values.initdbScriptsConfigMap) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "postgresql.fullname" . }}-init-scripts
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.sql.gz" }}
binaryData:
{{- range $path, $bytes := . }}
{{ base $path }}: {{ $.Files.Get $path | b64enc | quote }}
{{- end }}
{{- end }}
data:
{{- with .Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql}" }}
{{ .AsConfig | indent 2 }}
{{- end }}
{{- with .Values.initdbScripts }}
{{ toYaml . | indent 2 }}
{{- end }}
{{- end }}

13
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/metrics-configmap.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "postgresql.metricsCM" . }}
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }}
{{- end }}

25
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/metrics-svc.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if .Values.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "postgresql.fullname" . }}-metrics
labels:
{{- include "common.labels.standard" . | nindent 4 }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- toYaml .Values.metrics.service.annotations | nindent 4 }}
spec:
type: {{ .Values.metrics.service.type }}
{{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }}
{{- end }}
ports:
- name: http-metrics
port: 9187
targetPort: http-metrics
selector:
{{- include "common.labels.matchLabels" . | nindent 4 }}
role: master
{{- end }}

36
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,36 @@
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ template "postgresql.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
podSelector:
matchLabels:
{{- include "common.labels.matchLabels" . | nindent 6 }}
ingress:
# Allow inbound connections
- ports:
- port: {{ template "postgresql.port" . }}
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels:
{{ template "postgresql.fullname" . }}-client: "true"
{{- if .Values.networkPolicy.explicitNamespacesSelector }}
namespaceSelector:
{{ toYaml .Values.networkPolicy.explicitNamespacesSelector | indent 12 }}
{{- end }}
- podSelector:
matchLabels:
{{- include "common.labels.matchLabels" . | nindent 14 }}
role: slave
{{- end }}
# Allow prometheus scrapes
- ports:
- port: 9187
{{- end }}

37
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/podsecuritypolicy.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{- if .Values.psp.create }}
apiVersion: {{ include "podsecuritypolicy.apiVersion" . }}
kind: PodSecurityPolicy
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
privileged: false
volumes:
- 'configMap'
- 'secret'
- 'persistentVolumeClaim'
- 'emptyDir'
- 'projected'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
{{- end }}

23
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/prometheusrule.yaml Normal file
View File

@@ -0,0 +1,23 @@
{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "postgresql.fullname" . }}
{{- with .Values.metrics.prometheusRule.namespace }}
namespace: {{ . }}
{{- end }}
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- with .Values.metrics.prometheusRule.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- with .Values.metrics.prometheusRule.rules }}
groups:
- name: {{ template "postgresql.name" $ }}
rules: {{ tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- end }}

27
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/pv.yaml Normal file
View File

@@ -0,0 +1,27 @@
kind: PersistentVolume
apiVersion: v1
metadata:
name: keycloak-saas
spec:
storageClassName: manual
capacity:
storage: 8Gi
accessModes:
- ReadWriteOnce
#- ReadWriteMany
hostPath:
#path: "/home/keycloak/keycloak"
path: /mnt/keycloak-postgresql
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
#- imxc-worker1
- {{ .Values.node.affinity }}
claimRef:
name: data-keycloak-saas-postgresql-0
#namespace: auth

19
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/role.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if .Values.rbac.create }}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
{{- if .Values.psp.create }}
- apiGroups: ["extensions"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
resourceNames:
- {{ template "postgresql.fullname" . }}
{{- end }}
{{- end }}

19
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/rolebinding.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if .Values.rbac.create }}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
kind: Role
name: {{ template "postgresql.fullname" . }}
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name }}
namespace: imxc
{{- end }}

23
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/secrets.yaml Normal file
View File

@@ -0,0 +1,23 @@
{{- if (include "postgresql.createSecret" .) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
postgresql-postgres-password: {{ include "postgresql.postgres.password" . | b64enc | quote }}
{{- end }}
postgresql-password: {{ include "postgresql.password" . | b64enc | quote }}
{{- if .Values.replication.enabled }}
postgresql-replication-password: {{ include "postgresql.replication.password" . | b64enc | quote }}
{{- end }}
{{- if (and .Values.ldap.enabled .Values.ldap.bind_password)}}
postgresql-ldap-password: {{ .Values.ldap.bind_password | b64enc | quote }}
{{- end }}
{{- end -}}

11
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,11 @@
{{- if and (.Values.serviceAccount.enabled) (not .Values.serviceAccount.name) }}
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
{{- include "common.labels.standard" . | nindent 4 }}
name: {{ template "postgresql.fullname" . }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

33
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "postgresql.fullname" . }}
{{- if .Values.metrics.serviceMonitor.namespace }}
namespace: {{ .Values.metrics.serviceMonitor.namespace }}
{{- end }}
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.metrics.serviceMonitor.additionalLabels }}
{{- toYaml .Values.metrics.serviceMonitor.additionalLabels | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
endpoints:
- port: http-metrics
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
namespaceSelector:
matchNames:
- imxc
selector:
matchLabels:
{{- include "common.labels.matchLabels" . | nindent 6 }}
{{- end }}

340
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/statefulset-slaves.yaml Normal file
View File

@@ -0,0 +1,340 @@
{{- if .Values.replication.enabled }}
apiVersion: {{ template "postgresql.statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: "{{ template "postgresql.fullname" . }}-slave"
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- with .Values.slave.labels }}
{{ toYaml . | indent 4 }}
{{- end }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- with .Values.slave.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
serviceName: {{ template "postgresql.fullname" . }}-headless
replicas: {{ .Values.replication.slaveReplicas }}
selector:
matchLabels:
{{- include "common.labels.matchLabels" . | nindent 6 }}
role: slave
template:
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
{{- include "common.labels.standard" . | nindent 8 }}
role: slave
{{- with .Values.slave.podLabels }}
{{ toYaml . | indent 8 }}
{{- end }}
{{- with .Values.slave.podAnnotations }}
annotations:
{{ toYaml . | indent 8 }}
{{- end }}
spec:
{{- if .Values.schedulerName }}
schedulerName: "{{ .Values.schedulerName }}"
{{- end }}
{{- include "postgresql.imagePullSecrets" . | indent 6 }}
{{- if .Values.slave.nodeSelector }}
nodeSelector:
{{ toYaml .Values.slave.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.slave.affinity }}
affinity:
{{ toYaml .Values.slave.affinity | indent 8 }}
{{- end }}
{{- if .Values.slave.tolerations }}
tolerations:
{{ toYaml .Values.slave.tolerations | indent 8 }}
{{- end }}
{{- if .Values.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- end }}
{{- if .Values.serviceAccount.enabled }}
serviceAccountName: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name}}
{{- end }}
{{- if or .Values.slave.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }}
initContainers:
{{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled) .Values.tls.enabled) }}
- name: init-chmod-data
image: {{ template "postgresql.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- end }}
command:
- /bin/sh
- -cx
- |
{{- if .Values.persistence.enabled }}
mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
xargs chown -R `id -u`:`id -G | cut -d " " -f2`
{{- else }}
xargs chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}
{{- end }}
{{- end }}
{{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }}
chmod -R 777 /dev/shm
{{- end }}
{{- if .Values.tls.enabled }}
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
{{- else }}
chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/
{{- end }}
chmod 600 {{ template "postgresql.tlsCertKey" . }}
{{- end }}
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
securityContext:
{{- else }}
securityContext:
runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }}
{{- end }}
volumeMounts:
{{ if .Values.persistence.enabled }}
- name: data
mountPath: {{ .Values.persistence.mountPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
mountPath: /dev/shm
{{- end }}
{{- if .Values.tls.enabled }}
- name: raw-certificates
mountPath: /tmp/certs
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
{{- end }}
{{- end }}
{{- if .Values.slave.extraInitContainers }}
{{ tpl .Values.slave.extraInitContainers . | indent 8 }}
{{- end }}
{{- end }}
{{- if .Values.slave.priorityClassName }}
priorityClassName: {{ .Values.slave.priorityClassName }}
{{- end }}
containers:
- name: {{ template "postgresql.fullname" . }}
image: {{ template "postgresql.image" . }}
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.image.debug | quote }}
- name: POSTGRESQL_VOLUME_DIR
value: "{{ .Values.persistence.mountPath }}"
- name: POSTGRESQL_PORT_NUMBER
value: "{{ template "postgresql.port" . }}"
{{- if .Values.persistence.mountPath }}
- name: PGDATA
value: {{ .Values.postgresqlDataDir | quote }}
{{- end }}
- name: POSTGRES_REPLICATION_MODE
value: "slave"
- name: POSTGRES_REPLICATION_USER
value: {{ include "postgresql.replication.username" . | quote }}
{{- if .Values.usePasswordFile }}
- name: POSTGRES_REPLICATION_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password"
{{- else }}
- name: POSTGRES_REPLICATION_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.secretName" . }}
key: postgresql-replication-password
{{- end }}
- name: POSTGRES_CLUSTER_APP_NAME
value: {{ .Values.replication.applicationName }}
- name: POSTGRES_MASTER_HOST
value: {{ template "postgresql.fullname" . }}
- name: POSTGRES_MASTER_PORT_NUMBER
value: {{ include "postgresql.port" . | quote }}
{{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
{{- if .Values.usePasswordFile }}
- name: POSTGRES_POSTGRES_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password"
{{- else }}
- name: POSTGRES_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.secretName" . }}
key: postgresql-postgres-password
{{- end }}
{{- end }}
{{- if .Values.usePasswordFile }}
- name: POSTGRES_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-password"
{{- else }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.secretName" . }}
key: postgresql-password
{{- end }}
- name: POSTGRESQL_ENABLE_TLS
value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
{{- if .Values.tls.enabled }}
- name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
- name: POSTGRESQL_TLS_CERT_FILE
value: {{ template "postgresql.tlsCert" . }}
- name: POSTGRESQL_TLS_KEY_FILE
value: {{ template "postgresql.tlsCertKey" . }}
{{- if .Values.tls.certCAFilename }}
- name: POSTGRESQL_TLS_CA_FILE
value: {{ template "postgresql.tlsCACert" . }}
{{- end }}
{{- if .Values.tls.crlFilename }}
- name: POSTGRESQL_TLS_CRL_FILE
value: {{ template "postgresql.tlsCRL" . }}
{{- end }}
{{- end }}
ports:
- name: tcp-postgresql
containerPort: {{ template "postgresql.port" . }}
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
exec:
command:
- /bin/sh
- -c
{{- if (include "postgresql.database" .) }}
- exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- else }}
- exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- end }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
exec:
command:
- /bin/sh
- -c
- -e
{{- include "postgresql.readinessProbeCommand" . | nindent 16 }}
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
{{- end }}
volumeMounts:
{{- if .Values.usePasswordFile }}
- name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/
{{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
mountPath: /dev/shm
{{- end }}
{{- if .Values.persistence.enabled }}
- name: data
mountPath: {{ .Values.persistence.mountPath }}
subPath: {{ .Values.persistence.subPath }}
{{ end }}
{{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }}
- name: postgresql-extended-config
mountPath: /bitnami/postgresql/conf/conf.d/
{{- end }}
{{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }}
- name: postgresql-config
mountPath: /bitnami/postgresql/conf
{{- end }}
{{- if .Values.tls.enabled }}
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
readOnly: true
{{- end }}
{{- if .Values.slave.extraVolumeMounts }}
{{- toYaml .Values.slave.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.slave.sidecars }}
{{- include "postgresql.tplValue" ( dict "value" .Values.slave.sidecars "context" $ ) | nindent 8 }}
{{- end }}
volumes:
{{- if .Values.usePasswordFile }}
- name: postgresql-password
secret:
secretName: {{ template "postgresql.secretName" . }}
{{- end }}
{{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}}
- name: postgresql-config
configMap:
name: {{ template "postgresql.configurationCM" . }}
{{- end }}
{{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }}
- name: postgresql-extended-config
configMap:
name: {{ template "postgresql.extendedConfigurationCM" . }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: raw-certificates
secret:
secretName: {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }}
- name: postgresql-certificates
emptyDir: {}
{{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
emptyDir:
medium: Memory
sizeLimit: 1Gi
{{- end }}
{{- if not .Values.persistence.enabled }}
- name: data
emptyDir: {}
{{- end }}
{{- if .Values.slave.extraVolumes }}
{{- toYaml .Values.slave.extraVolumes | nindent 8 }}
{{- end }}
updateStrategy:
type: {{ .Values.updateStrategy.type }}
{{- if (eq "Recreate" .Values.updateStrategy.type) }}
rollingUpdate: null
{{- end }}
{{- if .Values.persistence.enabled }}
volumeClaimTemplates:
- metadata:
name: data
{{- with .Values.persistence.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value }}
{{- end }}
{{- end }}
spec:
accessModes:
{{- range .Values.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{ include "postgresql.storageClass" . }}
{{- end }}
{{- end }}

510
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/statefulset.yaml Normal file
View File

@@ -0,0 +1,510 @@
apiVersion: {{ template "postgresql.statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: {{ template "postgresql.master.fullname" . }}
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- with .Values.master.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- with .Values.master.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
serviceName: {{ template "postgresql.fullname" . }}-headless
replicas: 1
updateStrategy:
type: {{ .Values.updateStrategy.type }}
{{- if (eq "Recreate" .Values.updateStrategy.type) }}
rollingUpdate: null
{{- end }}
selector:
matchLabels:
{{- include "common.labels.matchLabels" . | nindent 6 }}
role: master
template:
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
{{- include "common.labels.standard" . | nindent 8 }}
role: master
{{- with .Values.master.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.master.podAnnotations }}
annotations: {{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if .Values.schedulerName }}
schedulerName: "{{ .Values.schedulerName }}"
{{- end }}
{{- include "postgresql.imagePullSecrets" . | indent 6 }}
{{- if .Values.master.nodeSelector }}
nodeSelector: {{- toYaml .Values.master.nodeSelector | nindent 8 }}
{{- end }}
{{- if .Values.master.affinity }}
affinity: {{- toYaml .Values.master.affinity | nindent 8 }}
{{- end }}
{{- if .Values.master.tolerations }}
tolerations: {{- toYaml .Values.master.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- end }}
{{- if .Values.serviceAccount.enabled }}
serviceAccountName: {{ default (include "postgresql.fullname" . ) .Values.serviceAccount.name }}
{{- end }}
{{- if or .Values.master.extraInitContainers (and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled))) }}
initContainers:
{{- if and .Values.volumePermissions.enabled (or .Values.persistence.enabled (and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled) .Values.tls.enabled) }}
- name: init-chmod-data
image: {{ template "postgresql.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- end }}
command:
- /bin/sh
- -cx
- |
{{- if .Values.persistence.enabled }}
mkdir -p {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
chmod 700 {{ .Values.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.persistence.mountPath }}/conf {{- end }}
find {{ .Values.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
xargs chown -R `id -u`:`id -G | cut -d " " -f2`
{{- else }}
xargs chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }}
{{- end }}
{{- end }}
{{- if and .Values.shmVolume.enabled .Values.shmVolume.chmod.enabled }}
chmod -R 777 /dev/shm
{{- end }}
{{- if .Values.tls.enabled }}
cp /tmp/certs/* /opt/bitnami/postgresql/certs/
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/
{{- else }}
chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /opt/bitnami/postgresql/certs/
{{- end }}
chmod 600 {{ template "postgresql.tlsCertKey" . }}
{{- end }}
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
securityContext:
{{- else }}
securityContext:
runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }}
{{- end }}
volumeMounts:
{{- if .Values.persistence.enabled }}
- name: data
mountPath: {{ .Values.persistence.mountPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
mountPath: /dev/shm
{{- end }}
{{- if .Values.tls.enabled }}
- name: raw-certificates
mountPath: /tmp/certs
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
{{- end }}
{{- end }}
{{- if .Values.master.extraInitContainers }}
{{- include "postgresql.tplValue" ( dict "value" .Values.master.extraInitContainers "context" $ ) | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.master.priorityClassName }}
priorityClassName: {{ .Values.master.priorityClassName }}
{{- end }}
containers:
- name: {{ template "postgresql.fullname" . }}
image: {{ template "postgresql.image" . }}
imagePullPolicy: "{{ .Values.image.pullPolicy }}"
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- end }}
{{- if .Values.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.image.debug | quote }}
- name: POSTGRESQL_PORT_NUMBER
value: "{{ template "postgresql.port" . }}"
- name: POSTGRESQL_VOLUME_DIR
value: "{{ .Values.persistence.mountPath }}"
{{- if .Values.postgresqlInitdbArgs }}
- name: POSTGRES_INITDB_ARGS
value: {{ .Values.postgresqlInitdbArgs | quote }}
{{- end }}
{{- if .Values.postgresqlInitdbWalDir }}
- name: POSTGRES_INITDB_WALDIR
value: {{ .Values.postgresqlInitdbWalDir | quote }}
{{- end }}
{{- if .Values.initdbUser }}
- name: POSTGRESQL_INITSCRIPTS_USERNAME
value: {{ .Values.initdbUser }}
{{- end }}
{{- if .Values.initdbPassword }}
- name: POSTGRESQL_INITSCRIPTS_PASSWORD
value: {{ .Values.initdbPassword }}
{{- end }}
{{- if .Values.persistence.mountPath }}
- name: PGDATA
value: {{ .Values.postgresqlDataDir | quote }}
{{- end }}
{{- if .Values.replication.enabled }}
- name: POSTGRES_REPLICATION_MODE
value: "master"
- name: POSTGRES_REPLICATION_USER
value: {{ include "postgresql.replication.username" . | quote }}
{{- if .Values.usePasswordFile }}
- name: POSTGRES_REPLICATION_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-replication-password"
{{- else }}
- name: POSTGRES_REPLICATION_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.secretName" . }}
key: postgresql-replication-password
{{- end }}
{{- if not (eq .Values.replication.synchronousCommit "off")}}
- name: POSTGRES_SYNCHRONOUS_COMMIT_MODE
value: {{ .Values.replication.synchronousCommit | quote }}
- name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS
value: {{ .Values.replication.numSynchronousReplicas | quote }}
{{- end }}
- name: POSTGRES_CLUSTER_APP_NAME
value: {{ .Values.replication.applicationName }}
{{- end }}
{{- if and .Values.postgresqlPostgresPassword (not (eq .Values.postgresqlUsername "postgres")) }}
{{- if .Values.usePasswordFile }}
- name: POSTGRES_POSTGRES_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-postgres-password"
{{- else }}
- name: POSTGRES_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.secretName" . }}
key: postgresql-postgres-password
{{- end }}
{{- end }}
- name: POSTGRES_USER
value: {{ include "postgresql.username" . | quote }}
{{- if .Values.usePasswordFile }}
- name: POSTGRES_PASSWORD_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-password"
{{- else }}
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.secretName" . }}
key: postgresql-password
{{- end }}
{{- if (include "postgresql.database" .) }}
- name: POSTGRES_DB
value: {{ (include "postgresql.database" .) | quote }}
{{- end }}
{{- if .Values.extraEnv }}
{{- include "postgresql.tplValue" (dict "value" .Values.extraEnv "context" $) | nindent 12 }}
{{- end }}
- name: POSTGRESQL_ENABLE_LDAP
value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }}
{{- if .Values.ldap.enabled }}
- name: POSTGRESQL_LDAP_SERVER
value: {{ .Values.ldap.server }}
- name: POSTGRESQL_LDAP_PORT
value: {{ .Values.ldap.port | quote }}
- name: POSTGRESQL_LDAP_SCHEME
value: {{ .Values.ldap.scheme }}
{{- if .Values.ldap.tls }}
- name: POSTGRESQL_LDAP_TLS
value: "1"
{{- end}}
- name: POSTGRESQL_LDAP_PREFIX
value: {{ .Values.ldap.prefix | quote }}
- name: POSTGRESQL_LDAP_SUFFIX
value: {{ .Values.ldap.suffix | quote}}
- name: POSTGRESQL_LDAP_BASE_DN
value: {{ .Values.ldap.baseDN }}
- name: POSTGRESQL_LDAP_BIND_DN
value: {{ .Values.ldap.bindDN }}
{{- if (not (empty .Values.ldap.bind_password)) }}
- name: POSTGRESQL_LDAP_BIND_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "postgresql.secretName" . }}
key: postgresql-ldap-password
{{- end}}
- name: POSTGRESQL_LDAP_SEARCH_ATTR
value: {{ .Values.ldap.search_attr }}
- name: POSTGRESQL_LDAP_SEARCH_FILTER
value: {{ .Values.ldap.search_filter }}
- name: POSTGRESQL_LDAP_URL
value: {{ .Values.ldap.url }}
{{- end}}
- name: POSTGRESQL_ENABLE_TLS
value: {{ ternary "yes" "no" .Values.tls.enabled | quote }}
{{- if .Values.tls.enabled }}
- name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS
value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }}
- name: POSTGRESQL_TLS_CERT_FILE
value: {{ template "postgresql.tlsCert" . }}
- name: POSTGRESQL_TLS_KEY_FILE
value: {{ template "postgresql.tlsCertKey" . }}
{{- if .Values.tls.certCAFilename }}
- name: POSTGRESQL_TLS_CA_FILE
value: {{ template "postgresql.tlsCACert" . }}
{{- end }}
{{- if .Values.tls.crlFilename }}
- name: POSTGRESQL_TLS_CRL_FILE
value: {{ template "postgresql.tlsCRL" . }}
{{- end }}
{{- end }}
{{- if .Values.extraEnvVarsCM }}
envFrom:
- configMapRef:
name: {{ tpl .Values.extraEnvVarsCM . }}
{{- end }}
ports:
- name: tcp-postgresql
containerPort: {{ template "postgresql.port" . }}
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
exec:
command:
- /bin/sh
- -c
{{- if (include "postgresql.database" .) }}
- exec pg_isready -U {{ include "postgresql.username" . | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- else }}
- exec pg_isready -U {{ include "postgresql.username" . | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ template "postgresql.port" . }}
{{- end }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
exec:
command:
- /bin/sh
- -c
- -e
{{- include "postgresql.readinessProbeCommand" . | nindent 16 }}
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
{{- end }}
volumeMounts:
{{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
mountPath: /docker-entrypoint-initdb.d/
{{- end }}
{{- if .Values.initdbScriptsSecret }}
- name: custom-init-scripts-secret
mountPath: /docker-entrypoint-initdb.d/secret
{{- end }}
{{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }}
- name: postgresql-extended-config
mountPath: /bitnami/postgresql/conf/conf.d/
{{- end }}
{{- if .Values.usePasswordFile }}
- name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/
{{- end }}
{{- if .Values.tls.enabled }}
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
readOnly: true
{{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
mountPath: /dev/shm
{{- end }}
{{- if .Values.persistence.enabled }}
- name: data
mountPath: {{ .Values.persistence.mountPath }}
subPath: {{ .Values.persistence.subPath }}
{{- end }}
{{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap }}
- name: postgresql-config
mountPath: /bitnami/postgresql/conf
{{- end }}
{{- if .Values.master.extraVolumeMounts }}
{{- toYaml .Values.master.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.master.sidecars }}
{{- include "postgresql.tplValue" ( dict "value" .Values.master.sidecars "context" $ ) | nindent 8 }}
{{- end }}
{{- if .Values.metrics.enabled }}
- name: metrics
image: {{ template "postgresql.metrics.image" . }}
imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
{{- if .Values.metrics.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.metrics.securityContext.runAsUser }}
{{- end }}
env:
{{- $database := required "In order to enable metrics you need to specify a database (.Values.postgresqlDatabase or .Values.global.postgresql.postgresqlDatabase)" (include "postgresql.database" .) }}
{{- $sslmode := ternary "require" "disable" .Values.tls.enabled }}
{{- if and .Values.tls.enabled .Values.tls.certCAFilename }}
- name: DATA_SOURCE_NAME
value: {{ printf "host=127.0.0.1 port=%d user=%s sslmode=%s sslcert=%s sslkey=%s" (int (include "postgresql.port" .)) (include "postgresql.username" .) $sslmode (include "postgresql.tlsCert" .) (include "postgresql.tlsCertKey" .) }}
{{- else }}
- name: DATA_SOURCE_URI
value: {{ printf "127.0.0.1:%d/%s?sslmode=%s" (int (include "postgresql.port" .)) $database $sslmode }}
{{- end }}
{{- if .Values.usePasswordFile }}
- name: DATA_SOURCE_PASS_FILE
value: "/opt/bitnami/postgresql/secrets/postgresql-password"
{{- else }}
- name: DATA_SOURCE_PASS
valueFrom:
secretKeyRef:
name: {{ template "postgresql.secretName" . }}
key: postgresql-password
{{- end }}
- name: DATA_SOURCE_USER
value: {{ template "postgresql.username" . }}
{{- if .Values.metrics.extraEnvVars }}
{{- include "postgresql.tplValue" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /
port: http-metrics
initialDelaySeconds: {{ .Values.metrics.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.metrics.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.metrics.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.metrics.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.metrics.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
httpGet:
path: /
port: http-metrics
initialDelaySeconds: {{ .Values.metrics.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.metrics.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }}
{{- end }}
volumeMounts:
{{- if .Values.usePasswordFile }}
- name: postgresql-password
mountPath: /opt/bitnami/postgresql/secrets/
{{- end }}
{{- if .Values.tls.enabled }}
- name: postgresql-certificates
mountPath: /opt/bitnami/postgresql/certs
readOnly: true
{{- end }}
{{- if .Values.metrics.customMetrics }}
- name: custom-metrics
mountPath: /conf
readOnly: true
args: ["--extend.query-path", "/conf/custom-metrics.yaml"]
{{- end }}
ports:
- name: http-metrics
containerPort: 9187
{{- if .Values.metrics.resources }}
resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
{{- end }}
{{- end }}
volumes:
{{- if or (.Files.Glob "files/postgresql.conf") (.Files.Glob "files/pg_hba.conf") .Values.postgresqlConfiguration .Values.pgHbaConfiguration .Values.configurationConfigMap}}
- name: postgresql-config
configMap:
name: {{ template "postgresql.configurationCM" . }}
{{- end }}
{{- if or (.Files.Glob "files/conf.d/*.conf") .Values.postgresqlExtendedConf .Values.extendedConfConfigMap }}
- name: postgresql-extended-config
configMap:
name: {{ template "postgresql.extendedConfigurationCM" . }}
{{- end }}
{{- if .Values.usePasswordFile }}
- name: postgresql-password
secret:
secretName: {{ template "postgresql.secretName" . }}
{{- end }}
{{- if or (.Files.Glob "files/docker-entrypoint-initdb.d/*.{sh,sql,sql.gz}") .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
configMap:
name: {{ template "postgresql.initdbScriptsCM" . }}
{{- end }}
{{- if .Values.initdbScriptsSecret }}
- name: custom-init-scripts-secret
secret:
secretName: {{ template "postgresql.initdbScriptsSecret" . }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: raw-certificates
secret:
secretName: {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }}
- name: postgresql-certificates
emptyDir: {}
{{- end }}
{{- if .Values.master.extraVolumes }}
{{- toYaml .Values.master.extraVolumes | nindent 8 }}
{{- end }}
{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }}
- name: custom-metrics
configMap:
name: {{ template "postgresql.metricsCM" . }}
{{- end }}
{{- if .Values.shmVolume.enabled }}
- name: dshm
emptyDir:
medium: Memory
sizeLimit: 1Gi
{{- end }}
{{- if and .Values.persistence.enabled .Values.persistence.existingClaim }}
- name: data
persistentVolumeClaim:
{{- with .Values.persistence.existingClaim }}
#claimName: {{ tpl . $ }}
claimName: data-keycloak-saas-postgresql-0
{{- end }}
{{- else if not .Values.persistence.enabled }}
- name: data
emptyDir: {}
{{- else if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
volumeClaimTemplates:
- metadata:
name: data
{{- with .Values.persistence.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value }}
{{- end }}
{{- end }}
spec:
accessModes:
{{- range .Values.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{ include "postgresql.storageClass" . }}
{{- end }}

18
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/svc-headless.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "postgresql.fullname" . }}-headless
labels:
{{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
clusterIP: None
ports:
- name: tcp-postgresql
port: {{ template "postgresql.port" . }}
targetPort: tcp-postgresql
selector:
{{- include "common.labels.matchLabels" . | nindent 4 }}

42
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/svc-read.yaml Normal file
View File

@@ -0,0 +1,42 @@
{{- if .Values.replication.enabled }}
{{- $serviceAnnotations := coalesce .Values.slave.service.annotations .Values.service.annotations -}}
{{- $serviceType := coalesce .Values.slave.service.type .Values.service.type -}}
{{- $serviceLoadBalancerIP := coalesce .Values.slave.service.loadBalancerIP .Values.service.loadBalancerIP -}}
{{- $serviceLoadBalancerSourceRanges := coalesce .Values.slave.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}}
{{- $serviceClusterIP := coalesce .Values.slave.service.clusterIP .Values.service.clusterIP -}}
{{- $serviceNodePort := coalesce .Values.slave.service.nodePort .Values.service.nodePort -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "postgresql.fullname" . }}-read
labels:
{{- include "common.labels.standard" . | nindent 4 }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if $serviceAnnotations }}
{{- include "postgresql.tplValue" (dict "value" $serviceAnnotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: {{ $serviceType }}
{{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }}
loadBalancerIP: {{ $serviceLoadBalancerIP }}
{{- end }}
{{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }}
loadBalancerSourceRanges: {{- include "postgresql.tplValue" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }}
{{- end }}
{{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }}
clusterIP: {{ $serviceClusterIP }}
{{- end }}
ports:
- name: tcp-postgresql
port: {{ template "postgresql.port" . }}
targetPort: tcp-postgresql
{{- if $serviceNodePort }}
nodePort: {{ $serviceNodePort }}
{{- end }}
selector:
{{- include "common.labels.matchLabels" . | nindent 4 }}
role: slave
{{- end }}

40
roles/cmoa_install/files/04-keycloak/charts/postgresql/templates/svc.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- $serviceAnnotations := coalesce .Values.master.service.annotations .Values.service.annotations -}}
{{- $serviceType := coalesce .Values.master.service.type .Values.service.type -}}
{{- $serviceLoadBalancerIP := coalesce .Values.master.service.loadBalancerIP .Values.service.loadBalancerIP -}}
{{- $serviceLoadBalancerSourceRanges := coalesce .Values.master.service.loadBalancerSourceRanges .Values.service.loadBalancerSourceRanges -}}
{{- $serviceClusterIP := coalesce .Values.master.service.clusterIP .Values.service.clusterIP -}}
{{- $serviceNodePort := coalesce .Values.master.service.nodePort .Values.service.nodePort -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "postgresql.fullname" . }}
labels:
{{- include "common.labels.standard" . | nindent 4 }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "postgresql.tplValue" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if $serviceAnnotations }}
{{- include "postgresql.tplValue" (dict "value" $serviceAnnotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: {{ $serviceType }}
{{- if and $serviceLoadBalancerIP (eq $serviceType "LoadBalancer") }}
loadBalancerIP: {{ $serviceLoadBalancerIP }}
{{- end }}
{{- if and (eq $serviceType "LoadBalancer") $serviceLoadBalancerSourceRanges }}
loadBalancerSourceRanges: {{- include "postgresql.tplValue" (dict "value" $serviceLoadBalancerSourceRanges "context" $) | nindent 4 }}
{{- end }}
{{- if and (eq $serviceType "ClusterIP") $serviceClusterIP }}
clusterIP: {{ $serviceClusterIP }}
{{- end }}
ports:
- name: tcp-postgresql
port: {{ template "postgresql.port" . }}
targetPort: tcp-postgresql
{{- if $serviceNodePort }}
nodePort: {{ $serviceNodePort }}
{{- end }}
selector:
{{- include "common.labels.matchLabels" . | nindent 4 }}
role: master

591
roles/cmoa_install/files/04-keycloak/charts/postgresql/values-production.yaml Normal file
View File

@@ -0,0 +1,591 @@
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry and imagePullSecrets
##
global:
postgresql: {}
# imageRegistry: myRegistryName
# imagePullSecrets:
# - myRegistryKeySecretName
# storageClass: myStorageClass
## Bitnami PostgreSQL image version
## ref: https://hub.docker.com/r/bitnami/postgresql/tags/
##
image:
registry: 10.10.31.243:5000 # docker.io
repository: postgresql # bitnami/postgresql
tag: 11.8.0-debian-10-r61
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Set to true if you would like to see extra information on logs
## It turns BASH and NAMI debugging in minideb
## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging
debug: false
## String to partially override postgresql.fullname template (will maintain the release name)
##
# nameOverride:
## String to fully override postgresql.fullname template
##
# fullnameOverride:
##
## Init containers parameters:
## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup
##
volumePermissions:
enabled: false
image:
registry: 10.10.31.243:5000 # docker.io
repository: minideb # bitnami/minideb
tag: buster
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Init container Security Context
## Note: the chown of the data folder is done to securityContext.runAsUser
## and not the below volumePermissions.securityContext.runAsUser
## When runAsUser is set to special value "auto", init container will try to chwon the
## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2`
## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed).
## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with
## pod securityContext.enabled=false and shmVolume.chmod.enabled=false
##
securityContext:
runAsUser: 0
## Use an alternate scheduler, e.g. "stork".
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
# schedulerName:
## Pod Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
securityContext:
enabled: true
fsGroup: 1001
runAsUser: 1001
## Pod Service Account
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
serviceAccount:
enabled: false
## Name of an already existing service account. Setting this value disables the automatic service account creation.
# name:
## Pod Security Policy
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
psp:
create: false
## Creates role for ServiceAccount
## Required for PSP
rbac:
create: false
replication:
enabled: true
user: repl_user
password: repl_password
slaveReplicas: 2
## Set synchronous commit mode: on, off, remote_apply, remote_write and local
## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL
synchronousCommit: "on"
## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication
## NOTE: It cannot be > slaveReplicas
numSynchronousReplicas: 1
## Replication Cluster application name. Useful for defining multiple replication policies
applicationName: my_application
## PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`)
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run (see note!)
# postgresqlPostgresPassword:
## PostgreSQL user (has superuser privileges if username is `postgres`)
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run
postgresqlUsername: postgres
## PostgreSQL password
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run
##
# postgresqlPassword:
## PostgreSQL password using existing secret
## existingSecret: secret
## Mount PostgreSQL secret as a file instead of passing environment variable
# usePasswordFile: false
## Create a database
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run
##
# postgresqlDatabase:
## PostgreSQL data dir
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
##
postgresqlDataDir: /bitnami/postgresql/data
## An array to add extra environment variables
## For example:
## extraEnv:
## - name: FOO
## value: "bar"
##
# extraEnv:
extraEnv: []
## Name of a ConfigMap containing extra env vars
##
# extraEnvVarsCM:
## Specify extra initdb args
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
##
# postgresqlInitdbArgs:
## Specify a custom location for the PostgreSQL transaction log
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
##
# postgresqlInitdbWalDir:
## PostgreSQL configuration
## Specify runtime configuration parameters as a dict, using camelCase, e.g.
## {"sharedBuffers": "500MB"}
## Alternatively, you can put your postgresql.conf under the files/ directory
## ref: https://www.postgresql.org/docs/current/static/runtime-config.html
##
# postgresqlConfiguration:
## PostgreSQL extended configuration
## As above, but _appended_ to the main configuration
## Alternatively, you can put your *.conf under the files/conf.d/ directory
## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf
##
# postgresqlExtendedConf:
## PostgreSQL client authentication configuration
## Specify content for pg_hba.conf
## Default: do not create pg_hba.conf
## Alternatively, you can put your pg_hba.conf under the files/ directory
# pgHbaConfiguration: |-
# local all all trust
# host all all localhost trust
# host mydatabase mysuser 192.168.0.0/24 md5
## ConfigMap with PostgreSQL configuration
## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration
# configurationConfigMap:
## ConfigMap with PostgreSQL extended configuration
# extendedConfConfigMap:
## initdb scripts
## Specify dictionary of scripts to be run at first boot
## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory
##
# initdbScripts:
# my_init_script.sh: |
# #!/bin/sh
# echo "Do something."
## Specify the PostgreSQL username and password to execute the initdb scripts
# initdbUser:
# initdbPassword:
## ConfigMap with scripts to be run at first boot
## NOTE: This will override initdbScripts
# initdbScriptsConfigMap:
## Secret with scripts to be run at first boot (in case it contains sensitive information)
## NOTE: This can work along initdbScripts or initdbScriptsConfigMap
# initdbScriptsSecret:
## Optional duration in seconds the pod needs to terminate gracefully.
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
##
# terminationGracePeriodSeconds: 30
## LDAP configuration
##
ldap:
enabled: false
url: ""
server: ""
port: ""
prefix: ""
suffix: ""
baseDN: ""
bindDN: ""
bind_password:
search_attr: ""
search_filter: ""
scheme: ""
tls: false
## PostgreSQL service configuration
service:
## PosgresSQL service type
type: ClusterIP
# clusterIP: None
port: 5432
## Specify the nodePort value for the LoadBalancer and NodePort service types.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
##
# nodePort:
## Provide any additional annotations which may be required. Evaluated as a template.
##
annotations: {}
## Set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
# loadBalancerIP:
## Load Balancer sources. Evaluated as a template.
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
##
# loadBalancerSourceRanges:
# - 10.10.10.0/24
## Start master and slave(s) pod(s) without limitations on shm memory.
## By default docker and containerd (and possibly other container runtimes)
## limit `/dev/shm` to `64M` (see e.g. the
## [docker issue](https://github.com/docker-library/postgres/issues/416) and the
## [containerd issue](https://github.com/containerd/containerd/issues/3654),
## which could be not enough if PostgreSQL uses parallel workers heavily.
##
shmVolume:
## Set `shmVolume.enabled` to `true` to mount a new tmpfs volume to remove
## this limitation.
##
enabled: true
## Set to `true` to `chmod 777 /dev/shm` on a initContainer.
## This option is ingored if `volumePermissions.enabled` is `false`
##
chmod:
enabled: true
## PostgreSQL data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
persistence:
enabled: true
## A manually managed Persistent Volume and Claim
## If defined, PVC must be created manually before volume will be bound
## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart
##
# existingClaim:
## The path the volume will be mounted at, useful when using different
## PostgreSQL images.
##
mountPath: /bitnami/postgresql
## The subdirectory of the volume to mount to, useful in dev environments
## and one PV for multiple services.
##
subPath: ""
# storageClass: "-"
accessModes:
- ReadWriteOnce
size: 8Gi
annotations: {}
## updateStrategy for PostgreSQL StatefulSet and its slaves StatefulSets
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
updateStrategy:
type: RollingUpdate
##
## PostgreSQL Master parameters
##
master:
## Node, affinity, tolerations, and priorityclass settings for pod assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption
nodeSelector: {}
affinity: {}
tolerations: []
labels: {}
annotations: {}
podLabels: {}
podAnnotations: {}
priorityClassName: ""
## Additional PostgreSQL Master Volume mounts
##
extraVolumeMounts: []
## Additional PostgreSQL Master Volumes
##
extraVolumes: []
## Add sidecars to the pod
##
## For example:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
sidecars: []
## Override the service configuration for master
##
service: {}
# type:
# nodePort:
# clusterIP:
##
## PostgreSQL Slave parameters
##
slave:
## Node, affinity, tolerations, and priorityclass settings for pod assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption
nodeSelector: {}
affinity: {}
tolerations: []
labels: {}
annotations: {}
podLabels: {}
podAnnotations: {}
priorityClassName: ""
## Extra init containers
## Example
##
## extraInitContainers:
## - name: do-something
## image: busybox
## command: ['do', 'something']
extraInitContainers: []
## Additional PostgreSQL Slave Volume mounts
##
extraVolumeMounts: []
## Additional PostgreSQL Slave Volumes
##
extraVolumes: []
## Add sidecars to the pod
##
## For example:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
sidecars: []
## Override the service configuration for slave
##
service: {}
# type:
# nodePort:
# clusterIP:
## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
requests:
memory: 256Mi
cpu: 250m
## Add annotations to all the deployed resources
##
commonAnnotations: {}
networkPolicy:
## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
##
enabled: false
## The Policy model to apply. When set to false, only pods with the correct
## client label will have network access to the port PostgreSQL is listening
## on. When true, PostgreSQL will accept connections from any source
## (with the correct destination port).
##
allowExternal: true
## if explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
## and that match other criteria, the ones that have the good label, can reach the DB.
## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this
## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
##
## Example:
## explicitNamespacesSelector:
## matchLabels:
## role: frontend
## matchExpressions:
## - {key: role, operator: In, values: [frontend]}
explicitNamespacesSelector: {}
## Configure extra options for liveness and readiness probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
livenessProbe:
enabled: true
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
readinessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
##
## TLS configuration
##
tls:
# Enable TLS traffic
enabled: false
#
# Whether to use the server's TLS cipher preferences rather than the client's.
preferServerCiphers: true
#
# Name of the Secret that contains the certificates
certificatesSecret: ""
#
# Certificate filename
certFilename: ""
#
# Certificate Key filename
certKeyFilename: ""
#
# CA Certificate filename
# If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate
# ref: https://www.postgresql.org/docs/9.6/auth-methods.html
certCAFilename:
#
# File containing a Certificate Revocation List
crlFilename:
## Configure metrics exporter
##
metrics:
enabled: true
# resources: {}
service:
type: ClusterIP
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9187"
loadBalancerIP:
serviceMonitor:
enabled: false
additionalLabels: {}
# namespace: monitoring
# interval: 30s
# scrapeTimeout: 10s
## Custom PrometheusRule to be defined
## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart
## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
prometheusRule:
enabled: false
additionalLabels: {}
namespace: ""
## These are just examples rules, please adapt them to your needs.
## Make sure to constraint the rules to the current postgresql service.
## rules:
## - alert: HugeReplicationLag
## expr: pg_replication_lag{service="{{ template "postgresql.fullname" . }}-metrics"} / 3600 > 1
## for: 1m
## labels:
## severity: critical
## annotations:
## description: replication for {{ template "postgresql.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s).
## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s).
rules: []
image:
registry: 10.10.31.243:5000 # docker.io
repository: postgres-exporter # bitnami/postgres-exporter
tag: 0.8.0-debian-10-r166
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Define additional custom metrics
## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file
# customMetrics:
# pg_database:
# query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')"
# metrics:
# - name:
# usage: "LABEL"
# description: "Name of the database"
# - size_bytes:
# usage: "GAUGE"
# description: "Size of the database in bytes"
## An array to add extra env vars to configure postgres-exporter
## see: https://github.com/wrouesnel/postgres_exporter#environment-variables
## For example:
# extraEnvVars:
# - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS
# value: "true"
extraEnvVars: {}
## Pod Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
securityContext:
enabled: false
runAsUser: 1001
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
## Configure extra options for liveness and readiness probes
livenessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
readinessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1

103
roles/cmoa_install/files/04-keycloak/charts/postgresql/values.schema.json Normal file
View File

@@ -0,0 +1,103 @@
{
"$schema": "http://json-schema.org/schema#",
"type": "object",
"properties": {
"postgresqlUsername": {
"type": "string",
"title": "Admin user",
"form": true
},
"postgresqlPassword": {
"type": "string",
"title": "Password",
"form": true
},
"persistence": {
"type": "object",
"properties": {
"size": {
"type": "string",
"title": "Persistent Volume Size",
"form": true,
"render": "slider",
"sliderMin": 1,
"sliderMax": 100,
"sliderUnit": "Gi"
}
}
},
"resources": {
"type": "object",
"title": "Required Resources",
"description": "Configure resource requests",
"form": true,
"properties": {
"requests": {
"type": "object",
"properties": {
"memory": {
"type": "string",
"form": true,
"render": "slider",
"title": "Memory Request",
"sliderMin": 10,
"sliderMax": 2048,
"sliderUnit": "Mi"
},
"cpu": {
"type": "string",
"form": true,
"render": "slider",
"title": "CPU Request",
"sliderMin": 10,
"sliderMax": 2000,
"sliderUnit": "m"
}
}
}
}
},
"replication": {
"type": "object",
"form": true,
"title": "Replication Details",
"properties": {
"enabled": {
"type": "boolean",
"title": "Enable Replication",
"form": true
},
"slaveReplicas": {
"type": "integer",
"title": "Slave Replicas",
"form": true,
"hidden": {
"value": false,
"path": "replication/enabled"
}
}
}
},
"volumePermissions": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"form": true,
"title": "Enable Init Containers",
"description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup"
}
}
},
"metrics": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"title": "Configure metrics exporter",
"form": true
}
}
}
}
}

604
roles/cmoa_install/files/04-keycloak/charts/postgresql/values.yaml Normal file
View File

@@ -0,0 +1,604 @@
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry and imagePullSecrets
##
global:
postgresql: {}
# imageRegistry: myRegistryName
# imagePullSecrets:
# - myRegistryKeySecretName
# storageClass: myStorageClass
## Bitnami PostgreSQL image version
## ref: https://hub.docker.com/r/bitnami/postgresql/tags/
##
image:
#registry: cdm-dev.exem-oss.org/keycloak
registry: 10.10.31.243:5000/keycloak # registry.openstacklocal:5000/keycloak
repository: keycloak-postgresql
tag: 11.8.0
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Set to true if you would like to see extra information on logs
## It turns BASH and NAMI debugging in minideb
## ref: https://github.com/bitnami/minideb-extras/#turn-on-bash-debugging
debug: false
## String to partially override postgresql.fullname template (will maintain the release name)
##
# nameOverride:
## String to fully override postgresql.fullname template
##
# fullnameOverride:
##
## Init containers parameters:
## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup
##
volumePermissions:
enabled: true
image:
#registry: cdm-dev.exem-oss.org
registry: 10.10.31.243:5000 # registry.openstacklocal:5000
repository: minideb # keycloak/minideb
tag: buster
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: Always
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Init container Security Context
## Note: the chown of the data folder is done to securityContext.runAsUser
## and not the below volumePermissions.securityContext.runAsUser
## When runAsUser is set to special value "auto", init container will try to chwon the
## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2`
## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed).
## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with
## pod securityContext.enabled=false and shmVolume.chmod.enabled=false
##
securityContext:
runAsUser: 0
## Use an alternate scheduler, e.g. "stork".
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
# schedulerName:
## Pod Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
securityContext:
enabled: true
fsGroup: 1001
runAsUser: 1001
## Pod Service Account
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
serviceAccount:
enabled: false
## Name of an already existing service account. Setting this value disables the automatic service account creation.
# name:
## Pod Security Policy
## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
psp:
create: false
## Creates role for ServiceAccount
## Required for PSP
rbac:
create: false
replication:
enabled: false
user: repl_user
password: repl_password
slaveReplicas: 1
## Set synchronous commit mode: on, off, remote_apply, remote_write and local
## ref: https://www.postgresql.org/docs/9.6/runtime-config-wal.html#GUC-WAL-LEVEL
synchronousCommit: "off"
## From the number of `slaveReplicas` defined above, set the number of those that will have synchronous replication
## NOTE: It cannot be > slaveReplicas
numSynchronousReplicas: 0
## Replication Cluster application name. Useful for defining multiple replication policies
applicationName: my_application
## PostgreSQL admin password (used when `postgresqlUsername` is not `postgres`)
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-user-on-first-run (see note!)
# postgresqlPostgresPassword:
## PostgreSQL user (has superuser privileges if username is `postgres`)
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run
postgresqlUsername: postgres
## PostgreSQL password
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run
##
# postgresqlPassword:
## PostgreSQL password using existing secret
## existingSecret: secret
## Mount PostgreSQL secret as a file instead of passing environment variable
# usePasswordFile: false
## Create a database
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run
##
# postgresqlDatabase:
## PostgreSQL data dir
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
##
postgresqlDataDir: /bitnami/postgresql/data
#postgresqlDataDir: /var/lib/postgresql/data/pgdata
## An array to add extra environment variables
## For example:
## extraEnv:
## - name: FOO
## value: "bar"
##
# extraEnv:
extraEnv: []
## Name of a ConfigMap containing extra env vars
##
# extraEnvVarsCM:
## Specify extra initdb args
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
##
# postgresqlInitdbArgs:
## Specify a custom location for the PostgreSQL transaction log
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md
##
# postgresqlInitdbWalDir:
## PostgreSQL configuration
## Specify runtime configuration parameters as a dict, using camelCase, e.g.
## {"sharedBuffers": "500MB"}
## Alternatively, you can put your postgresql.conf under the files/ directory
## ref: https://www.postgresql.org/docs/current/static/runtime-config.html
##
# postgresqlConfiguration:
## PostgreSQL extended configuration
## As above, but _appended_ to the main configuration
## Alternatively, you can put your *.conf under the files/conf.d/ directory
## https://github.com/bitnami/bitnami-docker-postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf
##
# postgresqlExtendedConf:
## PostgreSQL client authentication configuration
## Specify content for pg_hba.conf
## Default: do not create pg_hba.conf
## Alternatively, you can put your pg_hba.conf under the files/ directory
# pgHbaConfiguration: |-
# local all all trust
# host all all localhost trust
# host mydatabase mysuser 192.168.0.0/24 md5
## ConfigMap with PostgreSQL configuration
## NOTE: This will override postgresqlConfiguration and pgHbaConfiguration
# configurationConfigMap:
## ConfigMap with PostgreSQL extended configuration
# extendedConfConfigMap:
## initdb scripts
## Specify dictionary of scripts to be run at first boot
## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory
##
# initdbScripts:
# my_init_script.sh: |
# #!/bin/sh
# echo "Do something."
## ConfigMap with scripts to be run at first boot
## NOTE: This will override initdbScripts
# initdbScriptsConfigMap:
## Secret with scripts to be run at first boot (in case it contains sensitive information)
## NOTE: This can work along initdbScripts or initdbScriptsConfigMap
# initdbScriptsSecret:
## Specify the PostgreSQL username and password to execute the initdb scripts
# initdbUser:
# initdbPassword:
## Optional duration in seconds the pod needs to terminate gracefully.
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
##
# terminationGracePeriodSeconds: 30
## LDAP configuration
##
ldap:
enabled: false
url: ""
server: ""
port: ""
prefix: ""
suffix: ""
baseDN: ""
bindDN: ""
bind_password:
search_attr: ""
search_filter: ""
scheme: ""
tls: false
## PostgreSQL service configuration
service:
## PosgresSQL service type
type: ClusterIP
# clusterIP: None
port: 5432
## Specify the nodePort value for the LoadBalancer and NodePort service types.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
##
# nodePort:
## Provide any additional annotations which may be required. Evaluated as a template.
##
annotations: {}
## Set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
##
# loadBalancerIP:
## Load Balancer sources. Evaluated as a template.
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
##
# loadBalancerSourceRanges:
# - 10.10.10.0/24
## Start master and slave(s) pod(s) without limitations on shm memory.
## By default docker and containerd (and possibly other container runtimes)
## limit `/dev/shm` to `64M` (see e.g. the
## [docker issue](https://github.com/docker-library/postgres/issues/416) and the
## [containerd issue](https://github.com/containerd/containerd/issues/3654),
## which could be not enough if PostgreSQL uses parallel workers heavily.
##
shmVolume:
## Set `shmVolume.enabled` to `true` to mount a new tmpfs volume to remove
## this limitation.
##
enabled: true
## Set to `true` to `chmod 777 /dev/shm` on a initContainer.
## This option is ingored if `volumePermissions.enabled` is `false`
##
chmod:
enabled: true
## PostgreSQL data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
persistence:
enabled: true
## A manually managed Persistent Volume and Claim
## If defined, PVC must be created manually before volume will be bound
## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart
##
# existingClaim:
## The path the volume will be mounted at, useful when using different
## PostgreSQL images.
##
mountPath: /bitnami/postgresql
## The subdirectory of the volume to mount to, useful in dev environments
## and one PV for multiple services.
##
subPath: ""
storageClass: ""
accessModes:
- ReadWriteOnce
size: 8Gi
annotations: {}
## updateStrategy for PostgreSQL StatefulSet and its slaves StatefulSets
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
updateStrategy:
type: RollingUpdate
##
## PostgreSQL Master parameters
##
master:
## Node, affinity, tolerations, and priorityclass settings for pod assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption
nodeSelector: {}
affinity: {}
tolerations: []
labels: {}
annotations: {}
podLabels: {}
podAnnotations: {}
priorityClassName: ""
## Extra init containers
## Example
##
## extraInitContainers:
## - name: do-something
## image: busybox
## command: ['do', 'something']
extraInitContainers: []
## Additional PostgreSQL Master Volume mounts
##
extraVolumeMounts: []
## Additional PostgreSQL Master Volumes
##
extraVolumes: []
## Add sidecars to the pod
##
## For example:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: IfNotPresent
## ports:
## - name: portname
## containerPort: 1234
sidecars: []
## Override the service configuration for master
##
service: {}
# type:
# nodePort:
# clusterIP:
##
## PostgreSQL Slave parameters
##
slave:
## Node, affinity, tolerations, and priorityclass settings for pod assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption
nodeSelector: {}
affinity: {}
tolerations: []
labels: {}
annotations: {}
podLabels: {}
podAnnotations: {}
priorityClassName: ""
extraInitContainers: |
# - name: do-something
# image: busybox
# command: ['do', 'something']
## Additional PostgreSQL Slave Volume mounts
##
extraVolumeMounts: []
## Additional PostgreSQL Slave Volumes
##
extraVolumes: []
## Add sidecars to the pod
##
## For example:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: IfNotPresent
## ports:
## - name: portname
## containerPort: 1234
sidecars: []
## Override the service configuration for slave
##
service: {}
# type:
# nodePort:
# clusterIP:
## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
requests:
memory: 256Mi
cpu: 250m
## Add annotations to all the deployed resources
##
commonAnnotations: {}
networkPolicy:
## Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
##
enabled: false
## The Policy model to apply. When set to false, only pods with the correct
## client label will have network access to the port PostgreSQL is listening
## on. When true, PostgreSQL will accept connections from any source
## (with the correct destination port).
##
allowExternal: true
## if explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
## and that match other criteria, the ones that have the good label, can reach the DB.
## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this
## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
##
## Example:
## explicitNamespacesSelector:
## matchLabels:
## role: frontend
## matchExpressions:
## - {key: role, operator: In, values: [frontend]}
explicitNamespacesSelector: {}
## Configure extra options for liveness and readiness probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
livenessProbe:
enabled: true
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
readinessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
##
## TLS configuration
##
tls:
# Enable TLS traffic
enabled: false
#
# Whether to use the server's TLS cipher preferences rather than the client's.
preferServerCiphers: true
#
# Name of the Secret that contains the certificates
certificatesSecret: ""
#
# Certificate filename
certFilename: ""
#
# Certificate Key filename
certKeyFilename: ""
#
# CA Certificate filename
# If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate
# ref: https://www.postgresql.org/docs/9.6/auth-methods.html
certCAFilename:
#
# File containing a Certificate Revocation List
crlFilename:
## Configure metrics exporter
##
metrics:
enabled: false
# resources: {}
service:
type: ClusterIP
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9187"
loadBalancerIP:
serviceMonitor:
enabled: false
additionalLabels: {}
# namespace: monitoring
# interval: 30s
# scrapeTimeout: 10s
## Custom PrometheusRule to be defined
## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart
## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
prometheusRule:
enabled: false
additionalLabels: {}
namespace: ""
## These are just examples rules, please adapt them to your needs.
## Make sure to constraint the rules to the current postgresql service.
## rules:
## - alert: HugeReplicationLag
## expr: pg_replication_lag{service="{{ template "postgresql.fullname" . }}-metrics"} / 3600 > 1
## for: 1m
## labels:
## severity: critical
## annotations:
## description: replication for {{ template "postgresql.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s).
## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s).
rules: []
image:
registry: 10.10.31.243:5000 # docker.io
repository: postgres-exporter # bitnami/postgres-exporter
tag: 0.8.0-debian-10-r166
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistryKeySecretName
## Define additional custom metrics
## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file
# customMetrics:
# pg_database:
# query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')"
# metrics:
# - name:
# usage: "LABEL"
# description: "Name of the database"
# - size_bytes:
# usage: "GAUGE"
# description: "Size of the database in bytes"
#
## An array to add extra env vars to configure postgres-exporter
## see: https://github.com/wrouesnel/postgres_exporter#environment-variables
## For example:
# extraEnvVars:
# - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS
# value: "true"
extraEnvVars: {}
## Pod Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
securityContext:
enabled: false
runAsUser: 1001
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
## Configure extra options for liveness and readiness probes
livenessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
readinessProbe:
enabled: true
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 6
successThreshold: 1
#persistentVolume nodeAffinity Value Require this value
node:
affinity: imxc-worker1

38
roles/cmoa_install/files/04-keycloak/ci/h2-values.yaml Normal file
View File

@@ -0,0 +1,38 @@
extraEnv: |
- name: DB_VENDOR
value: h2
- name: KEYCLOAK_USER_FILE
value: /secrets/admin-creds/user
- name: KEYCLOAK_PASSWORD_FILE
value: /secrets/admin-creds/password
- name: JAVA_OPTS
value: >-
-XX:+UseContainerSupport
-XX:MaxRAMPercentage=50.0
-Djava.net.preferIPv4Stack=true
-Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
-Djava.awt.headless=true
secrets:
admin-creds:
annotations:
my-test-annotation: Test secret for {{ include "keycloak.fullname" . }}
stringData:
user: admin
password: secret
extraVolumeMounts: |
- name: admin-creds
mountPath: /secrets/admin-creds
readOnly: true
extraVolumes: |
- name: admin-creds
secret:
secretName: '{{ include "keycloak.fullname" . }}-admin-creds'
postgresql:
enabled: false
test:
enabled: true

73
roles/cmoa_install/files/04-keycloak/ci/postgres-ha-values.yaml Normal file
View File

@@ -0,0 +1,73 @@
replicas: 2
podLabels:
test-label: test-label-value
podAnnotations:
test-annotation: test-annotation-value-{{ .Release.Name }}
test-int-annotation: "12345"
startupScripts:
hello.sh: |
#!/bin/sh
echo '********************************************************************************'
echo '* *'
echo '* Hello from my startup script! *'
echo '* *'
echo '********************************************************************************'
lifecycleHooks: |
postStart:
exec:
command:
- /bin/sh
- -c
- echo 'Hello from lifecycle hook!'
extraEnv: |
- name: JGROUPS_DISCOVERY_PROTOCOL
value: dns.DNS_PING
- name: JGROUPS_DISCOVERY_PROPERTIES
value: 'dns_query={{ include "keycloak.serviceDnsName" . }}'
- name: CACHE_OWNERS_COUNT
value: "2"
- name: CACHE_OWNERS_AUTH_SESSIONS_COUNT
value: "2"
- name: KEYCLOAK_USER_FILE
value: /secrets/admin-creds/user
- name: KEYCLOAK_PASSWORD_FILE
value: /secrets/admin-creds/password
- name: KEYCLOAK_STATISTICS
value: all
- name: JAVA_OPTS
value: >-
-XX:+UseContainerSupport
-XX:MaxRAMPercentage=50.0
-Djava.net.preferIPv4Stack=true
-Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
-Djava.awt.headless=true
secrets:
admin-creds:
stringData:
user: admin
password: secret
extraVolumeMounts: |
- name: admin-creds
mountPath: /secrets/admin-creds
readOnly: true
extraVolumes: |
- name: admin-creds
secret:
secretName: '{{ include "keycloak.fullname" . }}-admin-creds'
postgresql:
enabled: true
persistence:
enabled: true
test:
enabled: true

6
roles/cmoa_install/files/04-keycloak/requirements.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 9.1.1
digest: sha256:33ee9e6caa9e519633071fd71aedd9de7906b9a9d7fb629eb814d9f72bb8d68e
generated: "2020-07-24T07:40:55.78753+02:00"

5
roles/cmoa_install/files/04-keycloak/requirements.yaml Normal file
View File

@@ -0,0 +1,5 @@
dependencies:
- name: postgresql
version: 9.1.1
repository: https://charts.bitnami.com/bitnami
condition: postgresql.enabled

13
roles/cmoa_install/files/04-keycloak/scripts/keycloak.cli Normal file
View File

@@ -0,0 +1,13 @@
embed-server --server-config=standalone-ha.xml --std-out=echo
batch
echo Configuring node identifier
## Sets the node identifier to the node name (= pod name). Node identifiers have to be unique. They can have a
## maximum length of 23 characters. Thus, the chart's fullname template truncates its length accordingly.
/subsystem=transactions:write-attribute(name=node-identifier, value=${jboss.node.name})
echo Finished configuring node identifier
run-batch
stop-embedded-server

61
roles/cmoa_install/files/04-keycloak/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,61 @@
***********************************************************************
* *
* Keycloak Helm Chart by codecentric AG *
* *
***********************************************************************
{{- if .Values.ingress.enabled }}
Keycloak was installed with an Ingress and an be reached at the following URL(s):
{{ range $unused, $rule := .Values.ingress.rules }}
{{- range $rule.paths }}
- http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $rule.host }}{{ . }}
{{- end }}
{{- end }}
{{- else if eq "NodePort" .Values.service.type }}
Keycloak was installed with a Service of type NodePort.
{{ if .Values.service.httpNodePort }}
Get its HTTP URL with the following commands:
export NODE_PORT=$(kubectl get --namespace imxc service {{ include "keycloak.fullname" . }}-http --template='{{"{{ range .spec.ports }}{{ if eq .name \"http\" }}{{ .nodePort }}{{ end }}{{ end }}"}}')
export NODE_IP=$(kubectl get nodes --namespace imxc -o jsonpath="{.items[0].status.addresses[0].address}")
echo "http://$NODE_IP:$NODE_PORT"
{{- end }}
{{ if .Values.service.httpsNodePort }}
Get its HTTPS URL with the following commands:
export NODE_PORT=$(kubectl get --namespace imxc service {{ include "keycloak.fullname" . }}-http --template='{{"{{ range .spec.ports }}{{ if eq .name \"https\" }}{{ .nodePort }}{{ end }}{{ end }}"}}')
export NODE_IP=$(kubectl get nodes --namespace imxc -o jsonpath="{.items[0].status.addresses[0].address}")
echo "http://$NODE_IP:$NODE_PORT"
{{- end }}
{{- else if eq "LoadBalancer" .Values.service.type }}
Keycloak was installed with a Service of type LoadBalancer
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace imxc service -w {{ include "keycloak.fullname" . }}'
Get its HTTP URL with the following commands:
export SERVICE_IP=$(kubectl get service --namespace imxc {{ include "keycloak.fullname" . }}-http --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo "http://$SERVICE_IP:{{ .Values.service.httpPort }}"
Get its HTTPS URL with the following commands:
export SERVICE_IP=$(kubectl get service --namespace imxc {{ include "keycloak.fullname" . }}-http --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo "http://$SERVICE_IP:{{ .Values.service.httpsPort }}"
{{- else if eq "ClusterIP" .Values.service.type }}
Keycloak was installed with a Service of type ClusterIP
Create a port-forwarding with the following commands:
export POD_NAME=$(kubectl get pods --namespace imxc -l "app.kubernetes.io/name={{ include "keycloak.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o name)
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace imxc port-forward "$POD_NAME" 8080
{{- end }}

87
roles/cmoa_install/files/04-keycloak/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,87 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "keycloak.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate to 20 characters because this is used to set the node identifier in WildFly which is limited to
23 characters. This allows for a replica suffix for up to 99 replicas.
*/}}
{{- define "keycloak.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 20 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 20 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 20 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "keycloak.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "keycloak.labels" -}}
helm.sh/chart: {{ include "keycloak.chart" . }}
{{ include "keycloak.selectorLabels" . }}
app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "keycloak.selectorLabels" -}}
app.kubernetes.io/name: {{ include "keycloak.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "keycloak.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "keycloak.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create a default fully qualified app name for the postgres requirement.
*/}}
{{- define "keycloak.postgresql.fullname" -}}
{{- $postgresContext := dict "Values" .Values.postgresql "Release" .Release "Chart" (dict "Name" "postgresql") -}}
{{ include "postgresql.fullname" $postgresContext }}
{{- end }}
{{/*
Create the service DNS name.
*/}}
{{- define "keycloak.serviceDnsName" -}}
{{ include "keycloak.fullname" . }}-headless.imxc.svc.{{ .Values.clusterDomain }}
{{- end }}
{{/*
Return the appropriate apiVersion for ingress.
*/}}
{{- define "keycloak.ingressAPIVersion" -}}
{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
{{- print "networking.k8s.io/v1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- end -}}
{{- end -}}

14
roles/cmoa_install/files/04-keycloak/templates/configmap-startup.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- if .Values.startupScripts }}
{{- $highAvailability := gt (int .Values.replicas) 1 -}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "keycloak.fullname" . }}-startup
labels:
{{- include "keycloak.labels" . | nindent 4 }}
data:
{{- range $key, $value := .Values.startupScripts }}
{{ $key }}: |
{{- tpl $value $ | nindent 4 }}
{{- end }}
{{- end -}}

22
roles/cmoa_install/files/04-keycloak/templates/hpa.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{- if .Values.autoscaling.enabled }}
apiVersion: autoscaling/v2beta2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "keycloak.fullname" . }}
labels:
{{- include "keycloak.labels" . | nindent 4 }}
{{- range $key, $value := .Values.autoscaling.labels }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: StatefulSet
name: {{ include "keycloak.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- toYaml .Values.autoscaling.metrics | nindent 4 }}
behavior:
{{- toYaml .Values.autoscaling.behavior | nindent 4 }}
{{- end }}

104
roles/cmoa_install/files/04-keycloak/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,104 @@
{{- $ingress := .Values.ingress -}}
{{- if $ingress.enabled -}}
apiVersion: {{ include "keycloak.ingressAPIVersion" . }}
kind: Ingress
metadata:
name: {{ include "keycloak.fullname" . }}
{{- with $ingress.annotations }}
annotations:
{{- range $key, $value := . }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
{{- end }}
labels:
{{- include "keycloak.labels" . | nindent 4 }}
{{- range $key, $value := $ingress.labels }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
spec:
{{- if $ingress.tls }}
tls:
{{- range $ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ tpl . $ | quote }}
{{- end }}
{{- with .secretName }}
secretName: {{ tpl . $ }}
{{- end }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.rules }}
- host: {{ tpl .host $ | quote }}
http:
paths:
{{- range .paths }}
- path: {{ . }}
{{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
pathType: Prefix
backend:
service:
name: {{ include "keycloak.fullname" $ }}-http
port:
name: {{ $ingress.servicePort }}
{{- else }}
backend:
serviceName: {{ include "keycloak.fullname" $ }}-http
servicePort: {{ $ingress.servicePort }}
{{- end }}
{{- end }}
{{- end }}
{{- if $ingress.console.enabled }}
---
apiVersion: {{ include "keycloak.ingressAPIVersion" . }}
kind: Ingress
metadata:
name: {{ include "keycloak.fullname" . }}-console
{{- with $ingress.console.annotations }}
annotations:
{{- range $key, $value := . }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
{{- end }}
labels:
{{- include "keycloak.labels" . | nindent 4 }}
{{- range $key, $value := $ingress.labels }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
spec:
{{- if $ingress.tls }}
tls:
{{- range $ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ tpl . $ | quote }}
{{- end }}
{{- with .secretName }}
secretName: {{ tpl . $ }}
{{- end }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.console.rules }}
- host: {{ tpl .host $ | quote }}
http:
paths:
{{- range .paths }}
- path: {{ . }}
{{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
pathType: Prefix
backend:
service:
name: {{ include "keycloak.fullname" $ }}-http
port:
name: {{ $ingress.servicePort }}
{{- else }}
backend:
serviceName: {{ include "keycloak.fullname" $ }}-http
servicePort: {{ $ingress.servicePort }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}

46
roles/cmoa_install/files/04-keycloak/templates/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,46 @@
{{- if .Values.networkPolicy.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "keycloak.fullname" . | quote }}
labels:
{{- include "keycloak.labels" . | nindent 4 }}
{{- range $key, $value := .Values.networkPolicy.labels }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
spec:
policyTypes:
- Ingress
podSelector:
matchLabels:
{{- include "keycloak.selectorLabels" . | nindent 6 }}
ingress:
{{- with .Values.networkPolicy.extraFrom }}
- from:
{{- toYaml . | nindent 8 }}
ports:
- protocol: TCP
port: {{ $.Values.service.httpPort }}
- protocol: TCP
port: {{ $.Values.service.httpsPort }}
{{ range $.Values.extraPorts }}
- protocol: {{ default "TCP" .protocol }}
port: {{ .containerPort }}
{{- end }}
{{- end }}
- from:
- podSelector:
matchLabels:
{{- include "keycloak.selectorLabels" . | nindent 14 }}
ports:
- protocol: TCP
port: {{ .Values.service.httpPort }}
- protocol: TCP
port: {{ .Values.service.httpsPort }}
- protocol: TCP
port: {{ .Values.service.httpManagementPort }}
{{ range .Values.extraPorts }}
- protocol: {{ default "TCP" .protocol }}
port: {{ .containerPort }}
{{- end }}
{{- end }}

13
roles/cmoa_install/files/04-keycloak/templates/poddisruptionbudget.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if .Values.podDisruptionBudget -}}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: {{ include "keycloak.fullname" . }}
labels:
{{- include "keycloak.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "keycloak.selectorLabels" . | nindent 6 }}
{{- toYaml .Values.podDisruptionBudget | nindent 2 }}
{{- end -}}

24
roles/cmoa_install/files/04-keycloak/templates/prometheusrule.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{- with .Values.prometheusRule -}}
{{- if .enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ include "keycloak.fullname" $ }}
{{- with .annotations }}
annotations:
{{- range $key, $value := . }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
{{- end }}
labels:
{{- include "keycloak.labels" $ | nindent 4 }}
{{- range $key, $value := .labels }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
spec:
groups:
- name: {{ include "keycloak.fullname" $ }}
rules:
{{- toYaml .rules | nindent 8 }}
{{- end }}
{{- end -}}

25
roles/cmoa_install/files/04-keycloak/templates/rbac.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if and .Values.rbac.create .Values.rbac.rules }}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "keycloak.fullname" . }}
labels:
{{- include "keycloak.labels" . | nindent 4 }}
rules:
{{- toYaml .Values.rbac.rules | nindent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "keycloak.fullname" . }}
labels:
{{- include "keycloak.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "keycloak.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "keycloak.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

34
roles/cmoa_install/files/04-keycloak/templates/route.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{- $route := .Values.route -}}
{{- if $route.enabled -}}
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: {{ include "keycloak.fullname" . }}
{{- with $route.annotations }}
annotations:
{{- range $key, $value := . }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
{{- end }}
labels:
{{- include "keycloak.labels" . | nindent 4 }}
{{- range $key, $value := $route.labels }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
spec:
{{- if $route.host }}
host: {{ tpl $route.host $ | quote }}
{{- end }}
path: {{ $route.path }}
port:
targetPort: http
to:
kind: Service
name: {{ include "keycloak.fullname" $ }}-http
weight: 100
{{- if $route.tls.enabled }}
tls:
insecureEdgeTerminationPolicy: {{ $route.tls.insecureEdgeTerminationPolicy }}
termination: {{ $route.tls.termination }}
{{- end }}
{{- end -}}

29
roles/cmoa_install/files/04-keycloak/templates/secrets.yaml Normal file
View File

@@ -0,0 +1,29 @@
{{- range $nameSuffix, $values := .Values.secrets -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "keycloak.fullname" $ }}-{{ $nameSuffix }}
{{- with $values.annotations }}
annotations:
{{- range $key, $value := . }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
{{- end }}
labels:
{{- include "keycloak.labels" $ | nindent 4 }}
{{- range $key, $value := $values.labels }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
type: {{ default "Opaque" $values.type }}
{{- with $values.data }}
data:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with $values.stringData }}
stringData:
{{- range $key, $value := . }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 2 }}
{{- end }}
{{- end }}
---
{{- end -}}

18
roles/cmoa_install/files/04-keycloak/templates/service-headless.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- $highAvailability := gt (int .Values.replicas) 1 -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "keycloak.fullname" . }}-headless
labels:
{{- include "keycloak.labels" . | nindent 4 }}
app.kubernetes.io/component: headless
spec:
type: ClusterIP
clusterIP: None
ports:
- name: http
port: {{ .Values.service.httpPort }}
targetPort: http
protocol: TCP
selector:
{{- include "keycloak.selectorLabels" . | nindent 4 }}

59
roles/cmoa_install/files/04-keycloak/templates/service-http.yaml Normal file
View File

@@ -0,0 +1,59 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "keycloak.fullname" . }}-http
{{- with .Values.service.annotations }}
annotations:
{{- range $key, $value := . }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
{{- end }}
labels:
{{- include "keycloak.labels" . | nindent 4 }}
{{- range $key, $value := .Values.service.labels }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
app.kubernetes.io/component: http
spec:
type: {{ .Values.service.type }}
{{- if and (eq "LoadBalancer" .Values.service.type) .Values.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- if and (eq "LoadBalancer" .Values.service.type) .Values.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
{{- if .Values.service.sessionAffinity }}
sessionAffinity: {{ .Values.service.sessionAffinity }}
{{- with .Values.service.sessionAffinityConfig }}
sessionAffinityConfig:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
ports:
- name: http
port: {{ .Values.service.httpPort }}
targetPort: http
{{- if and (or (eq "NodePort" .Values.service.type) (eq "LoadBalancer" .Values.service.type) ) .Values.service.httpNodePort }}
nodePort: {{ .Values.service.httpNodePort }}
{{- end }}
protocol: TCP
- name: https
port: {{ .Values.service.httpsPort }}
targetPort: https
{{- if and (or (eq "NodePort" .Values.service.type) (eq "LoadBalancer" .Values.service.type) ) .Values.service.httpsNodePort }}
nodePort: {{ .Values.service.httpsNodePort }}
{{- end }}
protocol: TCP
- name: http-management
port: {{ .Values.service.httpManagementPort }}
targetPort: http-management
{{- if and (eq "NodePort" .Values.service.type) .Values.service.httpManagementNodePort }}
nodePort: {{ .Values.service.httpManagementNodePort }}
{{- end }}
protocol: TCP
{{- with .Values.service.extraPorts }}
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
{{- include "keycloak.selectorLabels" . | nindent 4 }}

19
roles/cmoa_install/files/04-keycloak/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "keycloak.serviceAccountName" . }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- range $key, $value := . }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
{{- end }}
labels:
{{- include "keycloak.labels" . | nindent 4 }}
{{- range $key, $value := .Values.serviceAccount.labels }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
imagePullSecrets:
{{- toYaml .Values.serviceAccount.imagePullSecrets | nindent 4 }}
{{- end }}

39
roles/cmoa_install/files/04-keycloak/templates/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,39 @@
{{- range $key, $serviceMonitor := dict "wildfly" .Values.serviceMonitor "extra" .Values.extraServiceMonitor }}
{{- with $serviceMonitor }}
{{- if .enabled }}
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "keycloak.fullname" $ }}-{{ $key }}
{{- with .namespace }}
namespace: {{ . }}
{{- end }}
{{- with .annotations }}
annotations:
{{- range $key, $value := . }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
{{- end }}
labels:
{{- include "keycloak.labels" $ | nindent 4 }}
{{- range $key, $value := .labels }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
spec:
{{- with .namespaceSelector }}
namespaceSelector:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "keycloak.selectorLabels" $ | nindent 6 }}
app.kubernetes.io/component: http
endpoints:
- port: {{ .port }}
path: {{ .path }}
interval: {{ .interval }}
scrapeTimeout: {{ .scrapeTimeout }}
{{- end }}
{{- end }}
{{- end }}

208
roles/cmoa_install/files/04-keycloak/templates/statefulset.yaml Normal file
View File

@@ -0,0 +1,208 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "keycloak.fullname" . }}
{{- with .Values.statefulsetAnnotations }}
annotations:
{{- range $key, $value := . }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
{{- end }}
labels:
{{- include "keycloak.labels" . | nindent 4 }}
{{- range $key, $value := .Values.statefulsetLabels }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
{{- include "keycloak.selectorLabels" . | nindent 6 }}
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicas }}
{{- end }}
serviceName: {{ include "keycloak.fullname" . }}-headless
podManagementPolicy: {{ .Values.podManagementPolicy }}
updateStrategy:
type: RollingUpdate
template:
metadata:
annotations:
checksum/config-startup: {{ include (print .Template.BasePath "/configmap-startup.yaml") . | sha256sum }}
checksum/secrets: {{ tpl (toYaml .Values.secrets) . | sha256sum }}
{{- range $key, $value := .Values.podAnnotations }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 8 }}
{{- end }}
labels:
{{- include "keycloak.selectorLabels" . | nindent 8 }}
{{- if and .Values.postgresql.enabled (and .Values.postgresql.networkPolicy .Values.postgresql.networkPolicy.enabled) }}
{{ include "keycloak.postgresql.fullname" . }}-client: "true"
{{- end }}
{{- range $key, $value := .Values.podLabels }}
{{- printf "%s: %s" $key (tpl $value $ | quote) | nindent 8 }}
{{- end }}
spec:
{{- if or .Values.postgresql.enabled .Values.extraInitContainers }}
initContainers:
{{- if .Values.postgresql.enabled }}
- name: pgchecker
image: "{{ .Values.pgchecker.image.repository }}:{{ .Values.pgchecker.image.tag }}"
imagePullPolicy: {{ .Values.pgchecker.image.pullPolicy }}
securityContext:
{{- toYaml .Values.pgchecker.securityContext | nindent 12 }}
command:
- sh
- -c
- |
echo 'Waiting for PostgreSQL to become ready...'
until printf "." && nc -z -w 2 {{ include "keycloak.postgresql.fullname" . }} {{ .Values.postgresql.service.port }}; do
sleep 2;
done;
echo 'PostgreSQL OK ✓'
volumeMounts:
- mountPath: /opt/jboss/keycloak/themes/cloudmoa/
name: themes-upper-directory
resources:
{{- toYaml .Values.pgchecker.resources | nindent 12 }}
{{- end }}
{{- with .Values.extraInitContainers }}
{{- tpl . $ | nindent 8 }}
{{- end }}
{{- end }}
containers:
- name: keycloak
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
{{- toYaml .Values.command | nindent 12 }}
args:
{{- toYaml .Values.args | nindent 12 }}
{{- with .Values.lifecycleHooks }}
{{- tpl . $ | nindent 12 }}
{{- end }}
env:
- name: KEYCLOAK_USER
value: "admin"
#valueFrom:
# secretKeyRef:
# name: keycloak-secret
# key: KEYCLOAK_MASTER_USERNAME
- name: KEYCLOAK_PASSWORD
value: "admin"
#valueFrom:
# secretKeyRef:
# name: keycloak-secret
# key: KEYCLOAK_MASTER_PASSWORD
{{- if .Values.postgresql.enabled }}
- name: DB_VENDOR
value: postgres
- name: DB_ADDR
value: {{ include "keycloak.postgresql.fullname" . }}
- name: DB_PORT
value: {{ .Values.postgresql.service.port | quote }}
- name: DB_DATABASE
value: {{ .Values.postgresql.postgresqlDatabase | quote }}
- name: DB_USER
value: {{ .Values.postgresql.postgresqlUsername | quote }}
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "keycloak.postgresql.fullname" . }}
key: postgresql-password
{{- end }}
{{- with .Values.extraEnv }}
{{- tpl . $ | nindent 12 }}
{{- end }}
envFrom:
{{- with .Values.extraEnvFrom }}
{{- tpl . $ | nindent 12 }}
{{- end }}
ports:
- name: http
containerPort: 8080
protocol: TCP
- name: https
containerPort: 8443
protocol: TCP
- name: http-management
containerPort: 9990
protocol: TCP
{{- with .Values.extraPorts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.livenessProbe }}
livenessProbe:
{{- tpl . $ | nindent 12 }}
{{- end }}
{{- with .Values.readinessProbe }}
readinessProbe:
{{- tpl . $ | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- mountPath: /opt/jboss/keycloak/themes/cloudmoa/
name: themes-upper-directory
{{- range $key, $value := .Values.startupScripts }}
- name: startup
mountPath: "/opt/jboss/startup-scripts/{{ $key }}"
subPath: "{{ $key }}"
readOnly: true
{{- end }}
{{- with .Values.extraVolumeMounts }}
{{- tpl . $ | nindent 12 }}
{{- end }}
{{- with .Values.extraContainers }}
{{- tpl . $ | nindent 8 }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "keycloak.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- with .Values.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
enableServiceLinks: {{ .Values.enableServiceLinks }}
restartPolicy: {{ .Values.restartPolicy }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- tpl . $ | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
volumes:
- name: themes-upper-directory
hostPath:
path: /root/oci/infra-set/keycloak/keycloak_theme/
type: DirectoryOrCreate
{{- with .Values.startupScripts }}
- name: startup
configMap:
name: {{ include "keycloak.fullname" $ }}-startup
defaultMode: 0555
items:
{{- range $key, $value := . }}
- key: {{ $key }}
path: {{ $key }}
{{- end }}
{{- end }}
{{- with .Values.extraVolumes }}
{{- tpl . $ | nindent 8 }}
{{- end }}

50
roles/cmoa_install/files/04-keycloak/templates/test/configmap-test.yaml Normal file
View File

@@ -0,0 +1,50 @@
{{- if .Values.test.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "keycloak.fullname" . }}-test
labels:
{{- include "keycloak.labels" . | nindent 4 }}
annotations:
helm.sh/hook: test
helm.sh/hook-delete-policy: hook-succeeded
data:
test.py: |
import os
from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions
from urllib.parse import urlparse
print('Creating PhantomJS driver...')
driver = webdriver.PhantomJS(service_log_path='/tmp/ghostdriver.log')
base_url = 'http://{{ include "keycloak.fullname" . }}-http{{ if ne 80 (int .Values.service.httpPort) }}:{{ .Values.service.httpPort }}{{ end }}'
print('Opening Keycloak...')
driver.get('{0}/auth/admin/'.format(base_url))
username = os.environ['KEYCLOAK_USER']
password = os.environ['KEYCLOAK_PASSWORD']
username_input = WebDriverWait(driver, 30).until(expected_conditions.presence_of_element_located((By.ID, "username")))
password_input = WebDriverWait(driver, 30).until(expected_conditions.presence_of_element_located((By.ID, "password")))
login_button = WebDriverWait(driver, 30).until(expected_conditions.presence_of_element_located((By.ID, "kc-login")))
print('Entering username...')
username_input.send_keys(username)
print('Entering password...')
password_input.send_keys(password)
print('Clicking login button...')
login_button.click()
WebDriverWait(driver, 30).until(lambda driver: '/auth/admin/master/console/' in driver.current_url)
print('Admin console visible. Login successful.')
driver.quit()
{{- end }}

43
roles/cmoa_install/files/04-keycloak/templates/test/pod-test.yaml Normal file
View File

@@ -0,0 +1,43 @@
{{- if .Values.test.enabled }}
apiVersion: v1
kind: Pod
metadata:
name: {{ include "keycloak.fullname" . }}-test
labels:
{{- include "keycloak.labels" . | nindent 4 }}
app.kubernetes.io/component: test
annotations:
helm.sh/hook: test
spec:
securityContext:
{{- toYaml .Values.test.podSecurityContext | nindent 4 }}
containers:
- name: keycloak-test
image: "{{ .Values.test.image.repository }}:{{ .Values.test.image.tag }}"
imagePullPolicy: {{ .Values.test.image.pullPolicy }}
securityContext:
{{- toYaml .Values.test.securityContext | nindent 8 }}
command:
- python3
args:
- /tests/test.py
env:
- name: KEYCLOAK_USER
valueFrom:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-admin-creds
key: user
- name: KEYCLOAK_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "keycloak.fullname" . }}-admin-creds
key: password
volumeMounts:
- name: tests
mountPath: /tests
volumes:
- name: tests
configMap:
name: {{ include "keycloak.fullname" . }}-test
restartPolicy: Never
{{- end }}

434
roles/cmoa_install/files/04-keycloak/values.schema.json Normal file
View File

@@ -0,0 +1,434 @@
{
"$schema": "http://json-schema.org/schema#",
"type": "object",
"required": [
"image"
],
"definitions": {
"image": {
"type": "object",
"required": [
"repository",
"tag"
],
"properties": {
"pullPolicy": {
"type": "string",
"pattern": "^(Always|Never|IfNotPresent)$"
},
"repository": {
"type": "string"
},
"tag": {
"type": "string"
}
}
},
"imagePullSecrets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
}
}
}
}
},
"properties": {
"affinity": {
"type": "string"
},
"args": {
"type": "array"
},
"clusterDomain": {
"type": "string"
},
"command": {
"type": "array"
},
"enableServiceLinks": {
"type": "boolean"
},
"extraContainers": {
"type": "string"
},
"extraEnv": {
"type": "string"
},
"extraEnvFrom": {
"type": "string"
},
"extraInitContainers": {
"type": "string"
},
"extraPorts": {
"type": "array"
},
"extraVolumeMounts": {
"type": "string"
},
"extraVolumes": {
"type": "string"
},
"fullnameOverride": {
"type": "string"
},
"hostAliases": {
"type": "array"
},
"image": {
"$ref": "#/definitions/image"
},
"imagePullSecrets": {
"$ref": "#/definitions/imagePullSecrets"
},
"ingress": {
"type": "object",
"properties": {
"annotations": {
"type": "object"
},
"enabled": {
"type": "boolean"
},
"labels": {
"type": "object"
},
"rules": {
"type": "array",
"items": {
"type": "object",
"properties": {
"host": {
"type": "string"
},
"paths": {
"type": "array",
"items": {
"type": "string"
}
}
}
}
},
"servicePort": {
"anyOf": [
{
"type": "integer"
},
{
"type": "string"
}
]
},
"tls": {
"type": "array",
"items": {
"type": "object",
"properties": {
"hosts": {
"type": "array",
"items": {
"items": {
"type": "string"
}
},
"secretName": {
"type": "string"
}
}
}
}
}
},
"lifecycleHooks": {
"type": "string"
},
"livenessProbe": {
"type": "string"
},
"nameOverride": {
"type": "string"
},
"nodeSelector": {
"type": "object"
},
"pgchecker": {
"type": "object",
"properties": {
"image": {
"$ref": "#/definitions/image"
},
"resources": {
"type": "object",
"properties": {
"limits": {
"type": "object",
"properties": {
"cpu": {
"type": "string"
},
"memory": {
"type": "string"
}
}
},
"requests": {
"type": "object",
"properties": {
"cpu": {
"type": "string"
},
"memory": {
"type": "string"
}
}
}
}
},
"securityContext": {
"type": "object"
}
}
},
"podAnnotations": {
"type": "object"
},
"podDisruptionBudget": {
"type": "object"
},
"podLabels": {
"type": "object"
},
"podManagementPolicy": {
"type": "string"
},
"podSecurityContext": {
"type": "object"
},
"postgresql": {
"type": "object"
},
"priorityClassName": {
"type": "string"
},
"prometheusRule": {
"type": "object"
},
"serviceMonitor": {
"type": "object"
},
"extraServiceMonitor": {
"type": "object"
},
"readinessProbe": {
"type": "string"
},
"replicas": {
"type": "integer"
},
"resources": {
"type": "object"
},
"restartPolicy": {
"type": "string"
},
"route": {
"type": "object",
"properties": {
"annotations": {
"type": "object"
},
"enabled": {
"type": "boolean"
},
"host": {
"type": "string"
},
"labels": {
"type": "object"
},
"path": {
"type": "string"
},
"tls": {
"type": "object"
}
}
},
"secrets": {
"type": "object"
},
"securityContext": {
"type": "object"
},
"service": {
"type": "object",
"properties": {
"annotations": {
"type": "object"
},
"extraPorts": {
"type": "array"
},
"loadBalancerSourceRanges": {
"type": "array"
},
"httpNodePort": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
]
},
"httpPort": {
"type": "integer"
},
"httpsNodePort": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
]
},
"httpsPort": {
"type": "integer"
},
"httpManagementNodePort": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
]
},
"httpManagementPort": {
"type": "integer"
},
"labels": {
"type": "object"
},
"nodePort": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
]
},
"type": {
"type": "string"
},
"loadBalancerIP": {
"type": "string"
},
"sessionAffinity": {
"type": "string"
},
"sessionAffinityConfig": {
"type": "object"
}
}
},
"serviceAccount": {
"type": "object",
"properties": {
"annotations": {
"type": "object"
},
"create": {
"type": "boolean"
},
"imagePullSecrets": {
"$ref": "#/definitions/imagePullSecrets"
},
"labels": {
"type": "object"
},
"name": {
"type": "string"
}
}
},
"rbac": {
"type": "object",
"properties": {
"create": {
"type": "boolean"
},
"rules": {
"type": "array"
}
}
},
"startupScripts": {
"type": "object"
},
"statefulsetAnnotations": {
"type": "object"
},
"statefulsetLabels": {
"type": "object"
},
"terminationGracePeriodSeconds": {
"type": "integer"
},
"autoscaling": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"labels": {
"type": "object"
},
"minReplicas": {
"type": "integer"
},
"maxReplicas": {
"type": "integer"
},
"metrics": {
"type": "array"
},
"behavior": {
"type": "object"
}
}
},
"test": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean"
},
"image": {
"$ref": "#/definitions/image"
},
"podSecurityContext": {
"type": "object"
},
"securityContext": {
"type": "object"
}
}
},
"tolerations": {
"type": "array"
}
}
}
}

552
roles/cmoa_install/files/04-keycloak/values.yaml Normal file
View File

@@ -0,0 +1,552 @@
# Optionally override the fully qualified name
fullnameOverride: "imxc-keycloak"
# Optionally override the name
nameOverride: ""
# The number of replicas to create (has no effect if autoscaling enabled)
replicas: 2
image:
# The Keycloak image repository
#repository: cdm-dev.exem-oss.org/keycloak/keycloak
repository: 10.10.31.243:5000/cmoa3/keycloak
# Overrides the Keycloak image tag whose default is the chart version
tag: "11.0.1"
# The Keycloak image pull policy
pullPolicy: Always
# Image pull secrets for the Pod
#imagePullSecrets: []
# - name: myRegistrKeySecretName
imagePullSecrets:
- name: regcred
# Mapping between IPs and hostnames that will be injected as entries in the Pod's hosts files
hostAliases: []
# - ip: "1.2.3.4"
# hostnames:
# - "my.host.com"
# Indicates whether information about services should be injected into Pod's environment variables, matching the syntax of Docker links
enableServiceLinks: true
# Pod management policy. One of `Parallel` or `OrderedReady`
podManagementPolicy: Parallel
# Pod restart policy. One of `Always`, `OnFailure`, or `Never`
restartPolicy: Always
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# Additional annotations for the ServiceAccount
annotations: {}
# Additional labels for the ServiceAccount
labels: {}
# Image pull secrets that are attached to the ServiceAccount
#imagePullSecrets: []
imagePullSecrets:
- name: regcred
rbac:
create: true
rules:
# RBAC rules for KUBE_PING
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
# SecurityContext for the entire Pod. Every container running in the Pod will inherit this SecurityContext. This might be relevant when other components of the environment inject additional containers into running Pods (service meshes are the most prominent example for this)
podSecurityContext:
fsGroup: 1000
# SecurityContext for the Keycloak container
securityContext:
runAsUser: 1000
runAsNonRoot: true
# Additional init containers, e. g. for providing custom themes
extraInitContainers: |
- name: theme-provider
image: 10.10.31.243:5000/cmoa3/theme-provider:latest
imagePullPolicy: IfNotPresent
command:
- sh
args:
- -c
- |
echo "Copying theme ..."
cp -R /mytheme/* /theme
volumeMounts:
- name: theme
mountPath: /theme
#extraInitContainers: ""
# Additional sidecar containers, e. g. for a database proxy, such as Google's cloudsql-proxy
extraContainers: ""
# Lifecycle hooks for the Keycloak container
lifecycleHooks: |
# postStart:
# exec:
# command:
# - /bin/sh
# - -c
# - ls
# Termination grace period in seconds for Keycloak shutdown. Clusters with a large cache might need to extend this to give Infinispan more time to rebalance
terminationGracePeriodSeconds: 60
# The internal Kubernetes cluster domain
clusterDomain: cluster.local
## Overrides the default entrypoint of the Keycloak container
command: []
## Overrides the default args for the Keycloak container
#args: ["-Dkeycloak.profile.feature.scripts=enabled", "-Dkeycloak.profile.feature.upload_scripts=enabled", "-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled"]
args: ["-Dkeycloak.profile.feature.scripts=enabled", "-Dkeycloak.profile.feature.upload_scripts=enabled"]
# Additional environment variables for Keycloak
extraEnv: |
# HA settings
- name: PROXY_ADDRESS_FORWARDING
value: "true"
- name: JGROUPS_DISCOVERY_PROTOCOL
value: kubernetes.KUBE_PING
- name: KUBERNETES_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CACHE_OWNERS_COUNT
value: "2"
- name: CACHE_OWNERS_AUTH_SESSIONS_COUNT
value: "2"
# postgresql settings
- name: DB_VENDOR
value: postgres
- name: DB_ADDR
value: postgres
- name: DB_PORT
value: "5432"
- name: DB_DATABASE
value: keycloak
- name: DB_USER
value: admin
- name: DB_PASSWORD
value: eorbahrhkswp
# - name: KEYCLOAK_USER
# value: keycloak
# - name: KEYCLOAK_PASSWORD
# value: keycloak
#extraEnv: ""
# - name: KEYCLOAK_LOGLEVEL
# value: DEBUG
# - name: WILDFLY_LOGLEVEL
# value: DEBUG
# - name: CACHE_OWNERS_COUNT
# value: "2"
# - name: CACHE_OWNERS_AUTH_SESSIONS_COUNT
# value: "2"
#extraEnv: |
# - name: JGROUPS_DISCOVERY_PROTOCOL
# value: dns.DNS_PING
# - name: JGROUPS_DISCOVERY_PROPERTIES
# value: 'dns_query={{ include "keycloak.serviceDnsName" . }}'
# - name: CACHE_OWNERS_COUNT
# value: "2"
# - name: CACHE_OWNERS_AUTH_SESSIONS_COUNT
# value: "2"
# Additional environment variables for Keycloak mapped from Secret or ConfigMap
extraEnvFrom: ""
# Pod priority class name
#priorityClassName: "manual"
# Pod affinity
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
{{- include "keycloak.selectorLabels" . | nindent 10 }}
matchExpressions:
- key: app.kubernetes.io/component
operator: NotIn
values:
- test
topologyKey: kubernetes.io/hostname
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
{{- include "keycloak.selectorLabels" . | nindent 12 }}
matchExpressions:
- key: app.kubernetes.io/component
operator: NotIn
values:
- test
topologyKey: failure-domain.beta.kubernetes.io/zone
#affinity: {}
# Node labels for Pod assignment
nodeSelector: {}
# Node taints to tolerate
tolerations: []
# Additional Pod labels
podLabels: {}
# Additional Pod annotations
podAnnotations: {}
# Liveness probe configuration
livenessProbe: |
httpGet:
path: /auth/
port: http
initialDelaySeconds: 300
timeoutSeconds: 5
# Readiness probe configuration
readinessProbe: |
httpGet:
path: /auth/realms/master
port: http
initialDelaySeconds: 30
timeoutSeconds: 1
# Pod resource requests and limits
#resources: {}
# requests:
# cpu: "500m"
# memory: "1024Mi"
# limits:
# cpu: "500m"
# memory: "1024Mi"
resources:
requests:
memory: "200Mi"
cpu: "10m"
# Startup scripts to run before Keycloak starts up
startupScripts:
# WildFly CLI script for configuring the node-identifier
keycloak.cli: |
{{- .Files.Get "scripts/keycloak.cli" }}
# mystartup.sh: |
# #!/bin/sh
#
# echo 'Hello from my custom startup script!'
# Add additional volumes, e. g. for custom themes
extraVolumes: |
- name: theme
emptyDir: {}
#extraVolumes: ""
# Add additional volumes mounts, e. g. for custom themes
extraVolumeMounts: |
- name: theme
mountPath: /opt/jboss/keycloak/themes
#extraVolumeMounts: ""
# Add additional ports, e. g. for admin console or exposing JGroups ports
extraPorts: []
# Pod disruption budget
podDisruptionBudget: {}
# maxUnavailable: 1
# minAvailable: 1
# Annotations for the StatefulSet
statefulsetAnnotations: {}
# Additional labels for the StatefulSet
statefulsetLabels: {}
# Configuration for secrets that should be created
secrets: {}
# mysecret:
# type: {}
# annotations: {}
# labels: {}
# stringData: {}
# data: {}
service:
# Annotations for headless and HTTP Services
annotations: {}
# Additional labels for headless and HTTP Services
labels: {}
# key: value
# The Service type
type: NodePort
# Optional IP for the load balancer. Used for services of type LoadBalancer only
loadBalancerIP: ""
# The http Service port
httpPort: 80
# The HTTP Service node port if type is NodePort
httpNodePort: 31082
# The HTTPS Service port
httpsPort: 8443
# The HTTPS Service node port if type is NodePort
httpsNodePort: null
# The WildFly management Service port
httpManagementPort: 9990
# The WildFly management Service node port if type is NodePort
httpManagementNodePort: 31990
# Additional Service ports, e. g. for custom admin console
extraPorts: []
# When using Service type LoadBalancer, you can restrict source ranges allowed
# to connect to the LoadBalancer, e. g. will result in Security Groups
# (or equivalent) with inbound source ranges allowed to connect
loadBalancerSourceRanges: []
# Session affinity
# See https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-userspace
sessionAffinity: ""
# Session affinity config
sessionAffinityConfig: {}
ingress:
# If `true`, an Ingress is created
enabled: false
# The Service port targeted by the Ingress
servicePort: http
# Ingress annotations
annotations: {}
## Resolve HTTP 502 error using ingress-nginx:
## See https://www.ibm.com/support/pages/502-error-ingress-keycloak-response
# nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
# Additional Ingress labels
labels: {}
# List of rules for the Ingress
rules:
-
# Ingress host
host: '{{ .Release.Name }}.keycloak.example.com'
# Paths for the host
paths:
- /
# TLS configuration
tls:
- hosts:
- keycloak.example.com
secretName: ""
# ingress for console only (/auth/admin)
console:
# If `true`, an Ingress is created for console path only
enabled: false
# Ingress annotations for console ingress only
# Useful to set nginx.ingress.kubernetes.io/whitelist-source-range particularly
annotations: {}
rules:
-
# Ingress host
host: '{{ .Release.Name }}.keycloak.example.com'
# Paths for the host
paths:
- /auth/admin/
## Network policy configuration
networkPolicy:
# If true, the Network policies are deployed
enabled: false
# Additional Network policy labels
labels: {}
# Define all other external allowed source
# See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#networkpolicypeer-v1-networking-k8s-io
extraFrom: []
route:
# If `true`, an OpenShift Route is created
enabled: false
# Path for the Route
path: /
# Route annotations
annotations: {}
# Additional Route labels
labels: {}
# Host name for the Route
host: ""
# TLS configuration
tls:
# If `true`, TLS is enabled for the Route
enabled: false
# Insecure edge termination policy of the Route. Can be `None`, `Redirect`, or `Allow`
insecureEdgeTerminationPolicy: Redirect
# TLS termination of the route. Can be `edge`, `passthrough`, or `reencrypt`
termination: edge
pgchecker:
image:
# Docker image used to check Postgresql readiness at startup
#repository: cdm-dev.exem-oss.org/keycloak/busybox
#repository: {{ .Values.global.IMXC_REGISTRY }}/keycloak/busybox
repository: 10.10.31.243:5000/cmoa3/busybox
# Image tag for the pgchecker image
tag: 1.32
# Image pull policy for the pgchecker image
pullPolicy: Always
# SecurityContext for the pgchecker contai/docker.ner
securityContext:
allowPrivilegeEscalation: false
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
# Resource requests and limits for the pgchecker container
resources:
requests:
cpu: "10m"
memory: "16Mi"
limits:
cpu: "10m"
memory: "16Mi"
postgresql:
# If `true`, the Postgresql dependency is enabled
enabled: false
# PostgreSQL User to create
postgresqlUsername: keycloak
# PostgreSQL Password for the new user
postgresqlPassword: keycloak
# PostgreSQL Database to create
postgresqlDatabase: keycloak
# PostgreSQL network policy configuration
networkPolicy:
enabled: false
serviceMonitor:
# If `true`, a ServiceMonitor resource for the prometheus-operator is created
enabled: false
# Optionally sets a target namespace in which to deploy the ServiceMonitor resource
namespace: ""
# Optionally sets a namespace for the ServiceMonitor
namespaceSelector: {}
# Annotations for the ServiceMonitor
annotations: {}
# Additional labels for the ServiceMonitor
labels: {}
# Interval at which Prometheus scrapes metrics
interval: 10s
# Timeout for scraping
scrapeTimeout: 10s
# The path at which metrics are served
path: /metrics
# The Service port at which metrics are served
port: http-management
extraServiceMonitor:
# If `true`, a ServiceMonitor resource for the prometheus-operator is created
enabled: false
# Optionally sets a target namespace in which to deploy the ServiceMonitor resource
namespace: ""
# Optionally sets a namespace for the ServiceMonitor
namespaceSelector: {}
# Annotations for the ServiceMonitor
annotations: {}
# Additional labels for the ServiceMonitor
labels: {}
# Interval at which Prometheus scrapes metrics
interval: 10s
# Timeout for scraping
scrapeTimeout: 10s
# The path at which metrics are served
path: /auth/realms/master/metrics
# The Service port at which metrics are served
port: http
prometheusRule:
# If `true`, a PrometheusRule resource for the prometheus-operator is created
enabled: false
# Annotations for the PrometheusRule
annotations: {}
# Additional labels for the PrometheusRule
labels: {}
# List of rules for Prometheus
rules: []
# - alert: keycloak-IngressHigh5xxRate
# annotations:
# message: The percentage of 5xx errors for keycloak over the last 5 minutes is over 1%.
# expr: |
# (
# sum(
# rate(
# nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak",status=~"5[0-9]{2}"}[1m]
# )
# )
# /
# sum(
# rate(
# nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak"}[1m]
# )
# )
# ) * 100 > 1
# for: 5m
# labels:
# severity: warning
autoscaling:
# If `true`, a autoscaling/v2beta2 HorizontalPodAutoscaler resource is created (requires Kubernetes 1.18 or above)
# Autoscaling seems to be most reliable when using KUBE_PING service discovery (see README for details)
# This disables the `replicas` field in the StatefulSet
enabled: false
# Additional HorizontalPodAutoscaler labels
labels: {}
# The minimum and maximum number of replicas for the Keycloak StatefulSet
minReplicas: 3
maxReplicas: 10
# The metrics to use for scaling
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
# The scaling policy to use. This will scale up quickly but only scale down a single Pod per 5 minutes.
# This is important because caches are usually only replicated to 2 Pods and if one of those Pods is terminated this will give the cluster time to recover.
behavior:
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Pods
value: 1
periodSeconds: 300
test:
# If `true`, test resources are created
enabled: false
image:
# The image for the test Pod
#repository: docker.io/unguiculus/docker-python3-phantomjs-selenium
repository: 10.10.31.243:5000/docker-python3-phantomjs-selenium
# The tag for the test Pod image
tag: v1
# The image pull policy for the test Pod image
pullPolicy: IfNotPresent
# SecurityContext for the entire test Pod
podSecurityContext:
fsGroup: 1000
# SecurityContext for the test container
securityContext:
runAsUser: 1000
runAsNonRoot: true