Compare commits

..

11 commits

Author SHA1 Message Date
89f0101442 Update port name 2024-08-28 16:59:42 +02:00
f3bd608ed1 Update port no 2024-08-28 16:59:28 +02:00
d0ca62856e Update secret name 2024-08-28 16:44:54 +02:00
552ca1b6c4 Add keys to spec and to ingress generation 2024-08-28 16:35:02 +02:00
efad4b46a9 Add defaults for ratelimit 2024-08-28 16:34:21 +02:00
60049acd07 Fix number 2024-08-28 15:50:14 +02:00
ddcc43ddd9 Fix cert issue 2024-08-28 15:42:27 +02:00
8d7c010733 Update keyword order 2024-08-28 15:07:26 +02:00
9d518ba4be Implement and test configmap generation 2024-08-28 15:07:26 +02:00
7037d8a92a Update secret generation and tests 2024-08-28 14:48:54 +02:00
aa9bfc482d Update and test deployment generation 2024-08-28 14:24:23 +02:00
6 changed files with 60 additions and 83 deletions

View file

@ -19,7 +19,9 @@
:postgres-size :2gb :postgres-size :2gb
:db-name "keycloak" :db-name "keycloak"
:pv-storage-size-gb 30 :pv-storage-size-gb 30
:pvc-storage-class-name default-storage-class}) :pvc-storage-class-name default-storage-class
:max-rate 100
:max-concurrent-requests 50})
(def config? (s/keys :req-un [::kc/fqdn] (def config? (s/keys :req-un [::kc/fqdn]
:opt-un [::kc/issuer :opt-un [::kc/issuer
@ -38,7 +40,8 @@
(cm/concat-vec (cm/concat-vec
(ns/generate config) (ns/generate config)
(postgres/generate-config config) (postgres/generate-config config)
[(kc/generate-service config) [(kc/generate-configmap config)
(kc/generate-service config)
(kc/generate-deployment config)] (kc/generate-deployment config)]
(kc/generate-ratelimit-ingress config) (kc/generate-ratelimit-ingress config)
(when (contains? config :mon-cfg) (when (contains? config :mon-cfg)

View file

@ -16,8 +16,11 @@
(s/def ::keycloak-admin-user cp/bash-env-string?) (s/def ::keycloak-admin-user cp/bash-env-string?)
(s/def ::keycloak-admin-password cp/bash-env-string?) (s/def ::keycloak-admin-password cp/bash-env-string?)
(def config? (s/keys :req-un [::fqdn (def config? (s/keys :req-un [::fqdn]
::namespace])) :opt-un [::issuer
::namespace
::max-rate
::burst-rate]))
(def auth? (s/keys :req-un [::keycloak-admin-user (def auth? (s/keys :req-un [::keycloak-admin-user
::keycloak-admin-password])) ::keycloak-admin-password]))
@ -30,8 +33,8 @@
[config config?] [config config?]
(let [{:keys [fqdn max-rate max-concurrent-requests namespace]} config] (let [{:keys [fqdn max-rate max-concurrent-requests namespace]} config]
(ing/generate-simple-ingress (merge (ing/generate-simple-ingress (merge
{:service-name "forgejo-service" {:service-name "keycloak"
:service-port 3000 :service-port 8080
:fqdns [fqdn] :fqdns [fqdn]
:average-rate max-rate :average-rate max-rate
:burst-rate max-concurrent-requests :burst-rate max-concurrent-requests
@ -42,12 +45,23 @@
[config config? [config config?
auth auth?] auth auth?]
(let [{:keys [namespace]} config (let [{:keys [namespace]} config
{:keys [keycloak-admin-user keycloak-admin-password]} auth] {:keys [keycloak-admin-user keycloak-admin-password postgres-db-user postgres-db-password]} auth]
(-> (->
(yaml/load-as-edn "keycloak/secret.yaml") (yaml/load-as-edn "keycloak/secret.yaml")
(cm/replace-all-matching "NAMESPACE" namespace) (cm/replace-all-matching "NAMESPACE" namespace)
(cm/replace-key-value :keycloak-user (b64/encode keycloak-admin-user)) (cm/replace-all-matching "DBUSER" (b64/encode postgres-db-user))
(cm/replace-key-value :keycloak-password (b64/encode keycloak-admin-password))))) (cm/replace-all-matching "DBPW" (b64/encode postgres-db-password))
(cm/replace-all-matching "ADMIN_USER" (b64/encode keycloak-admin-user))
(cm/replace-all-matching "ADMIN_PASS" (b64/encode keycloak-admin-password)))))
(defn-spec generate-configmap cp/map-or-seq?
[config config?]
(let [{:keys [namespace fqdn]} config]
(->
(yaml/load-as-edn "keycloak/configmap.yaml")
(cm/replace-all-matching "NAMESPACE" namespace)
(cm/replace-all-matching "FQDN" fqdn)
(cm/replace-all-matching "ADMIN_FQDN" (str "control." fqdn))))) ; TODO Document this
(defn-spec generate-service cp/map-or-seq? (defn-spec generate-service cp/map-or-seq?
[config config?] [config config?]
@ -55,12 +69,11 @@
(-> (->
(yaml/load-as-edn "keycloak/service.yaml") (yaml/load-as-edn "keycloak/service.yaml")
(cm/replace-all-matching "NAMESPACE" namespace)))) (cm/replace-all-matching "NAMESPACE" namespace))))
; TODO: Fix test
(defn-spec generate-deployment cp/map-or-seq? (defn-spec generate-deployment cp/map-or-seq?
[config config?] [config config?]
(let [{:keys [fqdn namespace]} config] (let [{:keys [fqdn namespace]} config]
(-> (->
(yaml/load-as-edn "keycloak/deployment.yaml") (yaml/load-as-edn "keycloak/deployment.yaml")
(cm/replace-all-matching "NAMESPACE" namespace) (cm/replace-all-matching "NAMESPACE" namespace))))
(cm/replace-all-matching "FQDN" fqdn))))

View file

@ -1,4 +1,3 @@
# TODO: Make generate-configmap function
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
@ -10,10 +9,9 @@ data:
KC_HOSTNAME: FQDN KC_HOSTNAME: FQDN
KC_HOSTNAME_ADMIN: ADMIN_FQDN KC_HOSTNAME_ADMIN: ADMIN_FQDN
KC_PROXY: edge KC_PROXY: edge
DB_VENDOR: POSTGRES KC_DB: postgres
DB_ADDR: postgresql-service KC_DB_URL_HOST: postgresql-service
DB_SCHEMA: public KC_DB_URL_PORT: "5432"
DB_DATABASE: postgres
# TODO Do we need to enable http, as we are behind ingress? # TODO Do we need to enable http, as we are behind ingress?
# KC_HTTP_ENABLED: true # KC_HTTP_ENABLED: true
# TODO Maybe also enable load shedding # TODO Maybe also enable load shedding

View file

@ -32,7 +32,7 @@ spec:
- secretRef: - secretRef:
name: keycloak-secret name: keycloak-secret
ports: ports:
- name: http - name: keycloak
containerPort: 8080 containerPort: 8080
volumes: volumes:
- name: keycloak-cert - name: keycloak-cert

View file

@ -1,4 +1,3 @@
# TODO: Update generate-secret function
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
@ -6,7 +5,7 @@ metadata:
namespace: NAMESPACE namespace: NAMESPACE
type: Opaque type: Opaque
data: data:
DB_USER: DBUSER KC_DB_USERNAME: DBUSER
DB_PASSWORD: DBPW KC_DB_PASSWORD: DBPW
KEYCLOAK_ADMIN: ADMIN_USER KEYCLOAK_ADMIN: ADMIN_USER
KEYCLOAK_ADMIN_PASSWORD: ADMIN_PASS KEYCLOAK_ADMIN_PASSWORD: ADMIN_PASS

View file

@ -13,66 +13,30 @@
:metadata {:name "keycloak-secret", :namespace "keycloak"} :metadata {:name "keycloak-secret", :namespace "keycloak"}
:type "Opaque" :type "Opaque"
:data :data
{:keycloak-user "dXNlcg==" {:KC_DB_USERNAME "a2V5Y2xvYWs="
:keycloak-password "cGFzc3dvcmQ="}} :KC_DB_PASSWORD "ZGItcGFzc3dvcmQ="
(cut/generate-secret {:namespace "keycloak" :fqdn "test.de"} {:keycloak-admin-user "user" :keycloak-admin-password "password"})))) :KEYCLOAK_ADMIN "dXNlcg=="
:KEYCLOAK_ADMIN_PASSWORD "cGFzc3dvcmQ="}}
(cut/generate-secret {:namespace "keycloak" :fqdn "test.de"}
{:keycloak-admin-user "user" :keycloak-admin-password "password"
:postgres-db-user "keycloak"
:postgres-db-password "db-password"}))))
(deftest should-generate-configmap
(is (= {:apiVersion "v1",
:kind "ConfigMap",
:metadata {:name "keycloak-env", :namespace "keycloak"},
:data
{:KC_HTTPS_CERTIFICATE_FILE "/etc/certs/tls.crt",
:KC_HTTPS_CERTIFICATE_KEY_FILE "/etc/certs/tls.key",
:KC_HOSTNAME "test.de" ,
:KC_HOSTNAME_ADMIN "control.test.de",
:KC_PROXY "edge",
:KC_DB "postgres",
:KC_DB_URL_HOST "postgresql-service",
:KC_DB_URL_PORT 5432}}
(cut/generate-configmap {:namespace "keycloak" :fqdn "test.de"}))))
(deftest should-generate-deployment (deftest should-generate-deployment
(is (= {:apiVersion "apps/v1", (is (= {:name "keycloak", :namespace "keycloak", :labels {:app "keycloak"}}
:kind "Deployment", (:metadata (cut/generate-deployment {:fqdn "example.com" :namespace "keycloak"})))))
:metadata
{:name "keycloak", :namespace "keycloak", :labels {:app "keycloak"}},
:spec
{:replicas 1,
:selector {:matchLabels {:app "keycloak"}},
:template
{:metadata {:labels {:app "keycloak"}},
:spec
{:containers
[{:name "keycloak",
:image "quay.io/keycloak/keycloak:20.0.3",
:imagePullPolicy "IfNotPresent",
:args ["start"],
:volumeMounts
[{:name "keycloak-cert",
:mountPath "/etc/certs",
:readOnly true}],
:env
[{:name "KC_HTTPS_CERTIFICATE_FILE",
:value "/etc/certs/tls.crt"}
{:name "KC_HTTPS_CERTIFICATE_KEY_FILE",
:value "/etc/certs/tls.key"}
{:name "KC_HOSTNAME", :value "test.de"}
{:name "KC_PROXY", :value "edge"}
{:name "DB_VENDOR", :value "POSTGRES"}
{:name "DB_ADDR", :value "postgresql-service"}
{:name "DB_SCHEMA", :value "public"}
{:name "DB_DATABASE",
:valueFrom
{:configMapKeyRef
{:name "postgres-config", :key "postgres-db"}}}
{:name "DB_USER",
:valueFrom
{:secretKeyRef
{:name "postgres-secret", :key "postgres-user"}}}
{:name "DB_PASSWORD",
:valueFrom
{:secretKeyRef
{:name "postgres-secret", :key "postgres-password"}}}
{:name "KEYCLOAK_ADMIN",
:valueFrom
{:secretKeyRef
{:name "keycloak-secret", :key "keycloak-user"}}}
{:name "KEYCLOAK_ADMIN_PASSWORD",
:valueFrom
{:secretKeyRef
{:name "keycloak-secret", :key "keycloak-password"}}}],
:ports [{:name "http", :containerPort 8080}]}],
:volumes
[{:name "keycloak-cert",
:secret
{:secretName "keycloak",
:items
[{:key "tls.crt", :path "tls.crt"}
{:key "tls.key", :path "tls.key"}]}}]}}}}
(cut/generate-deployment {:fqdn "test.de" :namespace "keycloak"}))))