Initial implementation for rendering Helm chart with some options

simu · simu · commit de1eb395c674 · 2020-08-03T09:01:07.000+02:00
The current implementation allows configuring the following aspects of Keycloak: * The public hostname using either ingress or route * An initial admin user * Keycloak pod resource requests and limits * Additional Java options (JAVA_OPTS) * Prometheus monitoring using an existing prometheus-operator * Postgres database to use. By default a Bitnami Postgres is installed using the default storage class in the cluster. Note: Using an external database depends on Commodore support for making postprocessing filters optional, cf. projectsyn/commodore#155.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+helmcharts
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -1,3 +1,57 @@
 parameters:
   keycloak:
     namespace: syn-keycloak
+    # Hostname should be overwritten on the cluster level
+    hostname: keycloak.example.com
+    # Keycloak Admin
+    admin:
+      secretname: keycloak-admin-user
+      username: admin
+      password: '?{vaultkv:${customer:name}/${cluster:name}/keycloak/admin-password}'
+    # Ingress or Route should be enabled on the distribution level
+    ingress:
+      enabled: false
+    route:
+      enabled: false
+    # Labels can be extended in the config hierarchy by providing further
+    # entries in key `labels`.
+    labels:
+      app.kubernetes.io/name: keycloak
+      app.kubernetes.io/instance: syn-keycloak
+      app.kubernetes.io/version: v11.0.0
+      app.kubernetes.io/component: keycloak
+      app.kubernetes.io/managed-by: commodore
+    # Pod resource requests and limits
+    resources:
+      requests:
+        memory: "512Mi"
+        cpu: "500m"
+      limits:
+        memory: "1Gi"
+        cpu: "1"
+    # Extra java opts are appended to the default options set in
+    # `class/keycloak.yml`.
+    extraJavaOpts: ""
+    # Enable ServiceMonitor, PrometheusRule, and all Keycloak statistics on
+    # the metrics endpoint by default.
+    monitoring:
+      enabled: true
+      statistics: all
+    # Use Bitnami Postgres installed by the Keycloak chart by default
+    postgres:
+      builtin: true
+      external:
+        secretname: keycloak-db-credentials
+        address: postgres.example.com
+        port: 5432
+        database: keycloak
+        user: keycloak
+        password: '?{vaultkv:${customer:name}/${cluster:name}/keycloak/db-password}'
+    charts:
+      keycloak: '9.0.1'
+
+  # Using exports allows us to have expressions in the inventory
+  exports:
+    keycloak:
+      postgres:
+        builtin: ${keycloak:postgres:builtin}
diff --git a/class/keycloak.yml b/class/keycloak.yml
@@ -1,5 +1,10 @@
 parameters:
   kapitan:
+    dependencies:
+      - type: https
+        source: 'https://github.com/codecentric/helm-charts/releases/download/keycloak-${keycloak:charts:keycloak}/keycloak-${keycloak:charts:keycloak}.tgz'
+        unpack: true
+        output_path: dependencies/keycloak/helmcharts
     compile:
       - input_paths:
           - keycloak/component/app.jsonnet
@@ -9,3 +14,57 @@ parameters:
           - keycloak/component/main.jsonnet
         input_type: jsonnet
         output_path: keycloak/
+      - output_path: keycloak/01_keycloak_helmchart
+        input_type: helm
+        output_type: yaml
+        input_paths:
+          - keycloak/helmcharts/keycloak
+        helm_values:
+          statefulsetLabels: ${keycloak:labels}
+          resources: ${keycloak:resources}
+          # extraEnv *MUST* be a string, as it's fed through a templating
+          # function.
+          extraEnv: |
+            - name: JAVA_OPTS
+              value: >-
+                        -XX:+UseContainerSupport
+                        -XX:MaxRAMPercentage=50.0
+                        -Djava.net.preferIPv4Stack=true
+                        -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
+                        -Djava.awt.headless=true
+                        ${keycloak:extraJavaOpts}
+            - name: KEYCLOAK_STATISTICS
+              value: ${keycloak:monitoring:statistics}
+          extraEnvFrom: |
+            - secretRef:
+                name: ${keycloak:admin:secretname}
+            - secretRef:
+                name: $[ self:keycloak:postgres:external:secretname if exports:keycloak:postgres:builtin == false ]
+          serviceAccount:
+            labels: ${keycloak:labels}
+          ingress:
+            enabled: ${keycloak:ingress:enabled}
+            labels: ${keycloak:labels}
+            rules:
+              - host: ${keycloak:hostname}
+            tls:
+              - host: ${keycloak:hostname}
+          route:
+            enabled: ${keycloak:route:enabled}
+            labels: ${keycloak:labels}
+            host: ${keycloak:hostname}
+          service:
+            labels: ${keycloak:labels}
+          serviceMonitor:
+            enabled: ${keycloak:monitoring:enabled}
+            labels: ${keycloak:labels}
+          prometheusRule:
+            enabled: ${keycloak:monitoring:enabled}
+            labels: ${keycloak:labels}
+          postgresql:
+            enabled: ${keycloak:postgres:builtin}
+            master:
+              labels: ${keycloak:labels}
+        helm_params:
+          release_name: keycloak
+          namespace: '${keycloak:namespace}'
diff --git a/component/app.jsonnet b/component/app.jsonnet
@@ -6,5 +6,5 @@ local argocd = import 'lib/argocd.libjsonnet';
 local app = argocd.App('keycloak', params.namespace);
 
 {
-  'keycloak': app,
+  keycloak: app,
 }
diff --git a/component/main.jsonnet b/component/main.jsonnet
@@ -5,6 +5,32 @@ local inv = kap.inventory();
 // The hiera parameters for the component
 local params = inv.parameters.keycloak;
 
+local admin_secret = kube.Secret(params.admin.secretname) {
+  metadata+: {
+    labels+: params.labels,
+  },
+  stringData: {
+    KEYCLOAK_USER: params.admin.username,
+    KEYCLOAK_PASSWORD: params.admin.password,
+  },
+};
+
+local external_db_secret = kube.Secret(params.postgres.external.secretname) {
+  metadata+: {
+    labels+: params.labels,
+  },
+  stringData: {
+    DB_VENDOR: 'postgres',
+    DB_ADDR: params.postgres.external.address,
+    DB_PORT: params.postgres.external.port,
+    DB_DATABASE: params.postgres.external.database,
+    DB_USER: params.postgres.external.user,
+    DB_PASSWORD: params.postgres.external.password,
+  },
+};
+
 // Define outputs below
 {
+  '10_admin_secret': admin_secret,
+  [if params.postgres.builtin == false then '20_external_db_secret']: external_db_secret,
 }
diff --git a/docs/modules/ROOT/pages/index.adoc b/docs/modules/ROOT/pages/index.adoc
@@ -1,3 +1,9 @@
-= keycloak: A Commodore component to manage keycloak
+= keycloak: A Commodore component to manage Keycloak
 
-{doctitle} is a Commodore component for Managing keycloak.
+This component provides a set of tuned defaults and a simplified interface to
+deploy the https://hub.helm.sh/charts/codecentric/keycloak/9.0.1[Keycloak helm
+chart] on a Syn-enabled cluster.
+
+The component defaults to provisioning a Bitnami Postgres database via the
+Keycloak helm chart, but this behavior can be overridden using the
+`keycloak.postgres` parameters exposed by the component.
diff --git a/postprocess/filters.yml b/postprocess/filters.yml
@@ -1 +1,14 @@
-filters: []
+filters:
+  - path: keycloak/01_keycloak_helmchart/keycloak/templates
+    type: builtin
+    filter: helm_namespace
+    filterargs:
+      namespace: ${keycloak:namespace}
+      create_namespace: 'true'
+  - path: keycloak/01_keycloak_helmchart/keycloak/charts/postgresql/templates
+    type: "builtin"
+    # This will only work once Commodore PR#XXX has been merged
+    enabled: ${keycloak:postgres:builtin}
+    filter: helm_namespace
+    filterargs:
+      namespace: ${keycloak:namespace}

Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,5 @@ local argocd = import 'lib/argocd.libjsonnet';`
`6`	`6`	`local app = argocd.App('keycloak', params.namespace);`
`7`	`7`
`8`	`8`	`{`
`9`		`- 'keycloak': app,`
	`9`	`+ keycloak: app,`
`10`	`10`	`}`