diff options
Diffstat (limited to 'kubernetes/authentication')
9 files changed, 43 insertions, 22 deletions
diff --git a/kubernetes/authentication/Chart.yaml b/kubernetes/authentication/Chart.yaml index d178f38481..6430743bf7 100644 --- a/kubernetes/authentication/Chart.yaml +++ b/kubernetes/authentication/Chart.yaml @@ -16,13 +16,12 @@ # limitations under the License. # ============LICENSE_END========================================================= apiVersion: v2 -version: 15.0.0 +version: 15.0.1 description: ONAP Realm creation, Oauth2Proxy installation and configuration name: authentication sources: - https://github.com/adorsys/keycloak-config-cli -# Keycloakx chart version: 1.6.0 dependencies: - name: common version: ~13.x-0 @@ -31,7 +30,7 @@ dependencies: version: ~13.x-0 repository: '@local' - name: onap-keycloak-config-cli - version: 6.1.6 + version: 6.2.1 repository: 'file://components/keycloak-config-cli' - name: onap-oauth2-proxy version: 7.8.0 diff --git a/kubernetes/authentication/README.md b/kubernetes/authentication/README.md index c2332b409a..e17e94f1d0 100644 --- a/kubernetes/authentication/README.md +++ b/kubernetes/authentication/README.md @@ -30,6 +30,9 @@ realmSettings: accessTokenLifespan: - (optional) Access Tolek Lifespan (default: 1900) registrationAllowed: - (optional) Enable/disable the registration page (default: false) resetPasswordAllowed: - (optional) Show a link on login page for user to click when they have forgotten their credentials (default: true) + passwordPolicy: - (optional) Set Password policies, e.g. + "length(8) and specialChars(1) and upperCase(1) and lowerCase(1) and digits(1) and notUsername(undefined) + and notEmail(undefined) and notContainsUsername(undefined) and passwordHistory(3)" sslRequired: - (optional) Is HTTPS required? ('None'|'External'|'All requests' (default: "external") themes: - (optional) Keycloak Theme settings login: <login theme> - (optional) Keycloak Theme for Login UI (e.g. "base") diff --git a/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml b/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml index c196bcc6e2..32514f7867 100644 --- a/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml +++ b/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml @@ -20,8 +20,8 @@ apiVersion: v2 name: onap-keycloak-config-cli description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak. home: https://github.com/adorsys/keycloak-config-cli -version: 6.1.6 -appVersion: 6.1.6 +version: 6.2.1 +appVersion: 6.2.1 maintainers: - name: jkroepke email: joe@adorsys.de diff --git a/kubernetes/authentication/components/keycloak-config-cli/templates/job.yaml b/kubernetes/authentication/components/keycloak-config-cli/templates/job.yaml index 322db2b7a1..5ea4cbd770 100644 --- a/kubernetes/authentication/components/keycloak-config-cli/templates/job.yaml +++ b/kubernetes/authentication/components/keycloak-config-cli/templates/job.yaml @@ -50,7 +50,7 @@ spec: imagePullPolicy: {{ .Values.image.pullPolicy }} {{- with .Values.resources }} resources: - {{- toYaml . | nindent 10 }} + {{- toYaml . | nindent 12 }} {{- end }} env: {{- range $name, $value := .Values.env }} @@ -70,10 +70,19 @@ spec: secretKeyRef: name: "{{ tpl .Values.existingSecret . }}" key: "{{ .Values.existingSecretKey }}" - {{- end }} - {{- with .Values.securityContext }} + {{- end }} + {{- if .Values.existingSecrets }} + {{- range .Values.existingSecrets }} + - name: {{ .envVar }} + valueFrom: + secretKeyRef: + name: {{ .name }} + key: {{ .key }} + {{- end }} + {{- end }} + {{- with .Values.containerSecurityContext }} securityContext: - {{- toYaml . | nindent 10 }} + {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - name: config @@ -81,7 +90,6 @@ spec: {{- with .Values.extraVolumeMounts }} {{- tpl . $ | nindent 12 }} {{- end }} - {{ include "common.waitForJobContainer" . | indent 8 | trim }} volumes: - name: config secret: @@ -100,4 +108,4 @@ spec: {{- with .Values.securityContext }} securityContext: {{- toYaml . | nindent 8 }} - {{- end }} + {{- end }} diff --git a/kubernetes/authentication/components/keycloak-config-cli/values.yaml b/kubernetes/authentication/components/keycloak-config-cli/values.yaml index 9574d148ec..ffeeaeb176 100644 --- a/kubernetes/authentication/components/keycloak-config-cli/values.yaml +++ b/kubernetes/authentication/components/keycloak-config-cli/values.yaml @@ -75,6 +75,11 @@ podLabels: {} ## Extra Annotations to be added to pod podAnnotations: {} +# New section for existing secrets +existingSecrets: +# - name: my-existing-secret +# key: my-secret-key +# envVar: MY_ENV_VAR config: {} # <realm name>: @@ -91,7 +96,3 @@ extraVolumes: "" # Add additional volumes mounts, e. g. for custom secrets extraVolumeMounts: "" - -wait_for_job_container: - containers: - - 'keycloak-config-cli' diff --git a/kubernetes/authentication/components/oauth2-proxy/values.yaml b/kubernetes/authentication/components/oauth2-proxy/values.yaml index 14ea469fa8..7157aa0c72 100644 --- a/kubernetes/authentication/components/oauth2-proxy/values.yaml +++ b/kubernetes/authentication/components/oauth2-proxy/values.yaml @@ -7,6 +7,10 @@ global: imageRegistry: docker.io imagePullSecrets: - '{{ include "common.names.namespace" . }}-docker-registry-key' + + # Workaround to avoid redis restarts with ArgoCD + redis: + password: "32ugd3783rhfjdhow" # ************************************************* ## Override the deployment namespace diff --git a/kubernetes/authentication/templates/_utils.tpl b/kubernetes/authentication/templates/_utils.tpl index 4606611159..958d0c78df 100644 --- a/kubernetes/authentication/templates/_utils.tpl +++ b/kubernetes/authentication/templates/_utils.tpl @@ -24,10 +24,10 @@ Usage: {{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}} realm: {{ $realm.name }} {{ if $realm.displayName }}displayName: {{ $realm.displayName }}{{ end }} -id: {{ $realm.name }} accessTokenLifespan: {{ default "1900" $realm.accessTokenLifespan }} registrationAllowed: {{ default false $realm.registrationAllowed }} resetPasswordAllowed: {{ default true $realm.resetPasswordAllowed }} +{{ if $realm.passwordPolicy }}passwordPolicy: {{ $realm.passwordPolicy }}{{ end }} sslRequired: {{ default "external" $realm.sslRequired }} enabled: true {{ if $realm.themes }} diff --git a/kubernetes/authentication/templates/secret.yaml b/kubernetes/authentication/templates/secret.yaml index 1488be6969..812b0ab61d 100644 --- a/kubernetes/authentication/templates/secret.yaml +++ b/kubernetes/authentication/templates/secret.yaml @@ -4,11 +4,7 @@ kind: Secret metadata: name: keycloak-config-cli-config-realms namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{- $dot := . }} {{- range $realm := .Values.realmSettings }} diff --git a/kubernetes/authentication/values.yaml b/kubernetes/authentication/values.yaml index 124bc18c8d..79f23295cd 100644 --- a/kubernetes/authentication/values.yaml +++ b/kubernetes/authentication/values.yaml @@ -41,9 +41,19 @@ onap-keycloak-config-cli: # "edge" is the latest build release and need to be replaced with a new version # compatible with keycloak 26.x.y tag: edge - #tag: "6.1.6-25.0.1" + tag: "6.2.1-26.0.5" pullSecrets: - name: onap-docker-registry-key + +# annotations: +# # This is what defines this resource as a hook. Without this line, the +# # job is considered part of the release. +# argocd.argoproj.io/hook: Sync +# argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +# helm.sh/hook: post-install,pre-upgrade,pre-rollback +# helm.sh/hook-weight: "1" +# helm.sh/hook-delete-policy: before-hook-creation + #existingSecret: "keycloak-keycloakx-admin-creds" env: # internal KC URL plus relative path |