From 2c68c5494c4b08d1fb171dad3323b20d5052fced Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ibone=20Gonz=C3=A1lez=20Mauraza?= Date: Wed, 11 May 2022 21:13:05 +0200 Subject: [PATCH] [bitnami/keycloak] Keycloak 17 (#10095) * update keycloak Signed-off-by: mauraza * update chart version Signed-off-by: mauraza * delete variables Signed-off-by: mauraza * [skip ci] Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * update notes Signed-off-by: mauraza * delete serviceDiscovery Signed-off-by: mauraza * [skip ci] Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers * update test y some auth Signed-off-by: mauraza * [bitnami/keycloak] Update components versions Signed-off-by: Bitnami Containers Co-authored-by: Bitnami Containers --- .../cypress/cypress/support/commands.js | 2 +- bitnami/keycloak/Chart.lock | 8 +- bitnami/keycloak/Chart.yaml | 4 +- bitnami/keycloak/README.md | 80 +++++++++---------- bitnami/keycloak/ci/values-ha.yaml | 5 -- bitnami/keycloak/templates/NOTES.txt | 8 +- bitnami/keycloak/templates/_helpers.tpl | 13 --- .../templates/configmap-env-vars.yaml | 9 +-- .../templates/keycloak-config-cli-job.yaml | 2 +- bitnami/keycloak/templates/statefulset.yaml | 6 +- bitnami/keycloak/values.yaml | 39 ++------- 11 files changed, 58 insertions(+), 118 deletions(-) diff --git a/.vib/keycloak/cypress/cypress/support/commands.js b/.vib/keycloak/cypress/cypress/support/commands.js index aa9a2d3311..38d3f8084e 100644 --- a/.vib/keycloak/cypress/cypress/support/commands.js +++ b/.vib/keycloak/cypress/cypress/support/commands.js @@ -16,7 +16,7 @@ Cypress.Commands.add( 'login', (username = Cypress.env('username'), password = Cypress.env('password')) => { cy.clearCookies(); - cy.visit('/auth/admin'); + cy.visit('/admin'); cy.get('.login-pf-header').should('be.visible'); cy.get('input#username').type(username); cy.get('input#password').type(password); diff --git a/bitnami/keycloak/Chart.lock b/bitnami/keycloak/Chart.lock index 388323e695..76f1486ddf 100644 --- a/bitnami/keycloak/Chart.lock +++ b/bitnami/keycloak/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: postgresql repository: https://charts.bitnami.com/bitnami - version: 11.1.22 + version: 11.1.28 - name: common repository: https://charts.bitnami.com/bitnami - version: 1.13.0 -digest: sha256:b60a9ec850facc2ea59c40c0a160050f7720192fd683ad84bfa75442e151e2d6 -generated: "2022-04-21T13:59:00.123662927Z" + version: 1.13.1 +digest: sha256:280e9296644455995d6291fb329389f49d606b7050e83c7b18bb3c13a0fafada +generated: "2022-05-11T16:45:22.285824806Z" diff --git a/bitnami/keycloak/Chart.yaml b/bitnami/keycloak/Chart.yaml index ece15a192f..3774537401 100644 --- a/bitnami/keycloak/Chart.yaml +++ b/bitnami/keycloak/Chart.yaml @@ -1,7 +1,7 @@ annotations: category: DeveloperTools apiVersion: v2 -appVersion: 16.1.1 +appVersion: 17.0.1 dependencies: - condition: postgresql.enabled name: postgresql @@ -26,4 +26,4 @@ name: keycloak sources: - https://github.com/bitnami/bitnami-docker-keycloak - https://github.com/keycloak/keycloak -version: 7.1.19 +version: 8.0.0 diff --git a/bitnami/keycloak/README.md b/bitnami/keycloak/README.md index f4693678d9..f64e763a29 100644 --- a/bitnami/keycloak/README.md +++ b/bitnami/keycloak/README.md @@ -80,49 +80,43 @@ The command removes all the Kubernetes components associated with the chart and ### Keycloak parameters -| Name | Description | Value | -| --------------------------------- | --------------------------------------------------------------------------------------------- | ---------------------- | -| `image.registry` | Keycloak image registry | `docker.io` | -| `image.repository` | Keycloak image repository | `bitnami/keycloak` | -| `image.tag` | Keycloak image tag (immutable tags are recommended) | `16.1.1-debian-10-r85` | -| `image.pullPolicy` | Keycloak image pull policy | `IfNotPresent` | -| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | -| `image.debug` | Specify if debug logs should be enabled | `false` | -| `auth.createAdminUser` | Create administrator user on boot | `true` | -| `auth.adminUser` | Keycloak administrator user | `user` | -| `auth.adminPassword` | Keycloak administrator password for the new user | `""` | -| `auth.managementUser` | Wildfly management user | `manager` | -| `auth.managementPassword` | Wildfly management password | `""` | -| `auth.existingSecret` | An already existing secret containing auth info | `""` | -| `auth.existingSecretPerPassword` | Override `existingSecret` and other secret values | `{}` | -| `auth.tls.enabled` | Enable TLS encryption | `false` | -| `auth.tls.autoGenerated` | Generate automatically self-signed TLS certificates. Currently only supports PEM certificates | `false` | -| `auth.tls.existingSecret` | Existing secret containing the TLS certificates per Keycloak replica | `""` | -| `auth.tls.usePem` | Use PEM certificates as input instead of PKS12/JKS stores | `false` | -| `auth.tls.truststoreFilename` | Truststore specific filename inside the existing secret | `""` | -| `auth.tls.keystoreFilename` | Keystore specific filename inside the existing secret | `""` | -| `auth.tls.jksSecret` | DEPRECATED. Use `auth.tls.existingSecret` instead | `""` | -| `auth.tls.keystorePassword` | Password to access the keystore when it's password-protected | `""` | -| `auth.tls.truststorePassword` | Password to access the truststore when it's password-protected | `""` | -| `auth.tls.resources.limits` | The resources limits for the TLS init container | `{}` | -| `auth.tls.resources.requests` | The requested resources for the TLS init container | `{}` | -| `proxyAddressForwarding` | Enable Proxy Address Forwarding | `false` | -| `serviceDiscovery.enabled` | Enable Service Discovery for Keycloak (required if `replicaCount` > `1`) | `false` | -| `serviceDiscovery.protocol` | Sets the protocol that Keycloak nodes would use to discover new peers | `kubernetes.KUBE_PING` | -| `serviceDiscovery.properties` | Properties for the discovery protocol set in `serviceDiscovery.protocol` parameter | `[]` | -| `serviceDiscovery.transportStack` | Transport stack for the discovery protocol set in `serviceDiscovery.protocol` parameter | `tcp` | -| `cache.ownersCount` | Number of nodes that will replicate cached data | `1` | -| `cache.authOwnersCount` | Number of nodes that will replicate cached authentication data | `1` | -| `configuration` | Keycloak Configuration. Auto-generated based on other parameters when not specified | `""` | -| `existingConfigmap` | Name of existing ConfigMap with Keycloak configuration | `""` | -| `extraStartupArgs` | Extra default startup args | `""` | -| `initdbScripts` | Dictionary of initdb scripts | `{}` | -| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) | `""` | -| `command` | Override default container command (useful when using custom images) | `[]` | -| `args` | Override default container args (useful when using custom images) | `[]` | -| `extraEnvVars` | Extra environment variables to be set on Keycloak container | `[]` | -| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | -| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `""` | +| Name | Description | Value | +| -------------------------------- | --------------------------------------------------------------------------------------------- | --------------------- | +| `image.registry` | Keycloak image registry | `docker.io` | +| `image.repository` | Keycloak image repository | `bitnami/keycloak` | +| `image.tag` | Keycloak image tag (immutable tags are recommended) | `17.0.1-debian-10-r0` | +| `image.pullPolicy` | Keycloak image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Specify if debug logs should be enabled | `false` | +| `auth.createAdminUser` | Create administrator user on boot | `true` | +| `auth.adminUser` | Keycloak administrator user | `user` | +| `auth.adminPassword` | Keycloak administrator password for the new user | `""` | +| `auth.managementUser` | Wildfly management user | `manager` | +| `auth.managementPassword` | Wildfly management password | `""` | +| `auth.existingSecret` | An already existing secret containing auth info | `""` | +| `auth.existingSecretPerPassword` | Override `existingSecret` and other secret values | `{}` | +| `auth.tls.enabled` | Enable TLS encryption | `false` | +| `auth.tls.autoGenerated` | Generate automatically self-signed TLS certificates. Currently only supports PEM certificates | `false` | +| `auth.tls.existingSecret` | Existing secret containing the TLS certificates per Keycloak replica | `""` | +| `auth.tls.usePem` | Use PEM certificates as input instead of PKS12/JKS stores | `false` | +| `auth.tls.truststoreFilename` | Truststore specific filename inside the existing secret | `""` | +| `auth.tls.keystoreFilename` | Keystore specific filename inside the existing secret | `""` | +| `auth.tls.jksSecret` | DEPRECATED. Use `auth.tls.existingSecret` instead | `""` | +| `auth.tls.keystorePassword` | Password to access the keystore when it's password-protected | `""` | +| `auth.tls.truststorePassword` | Password to access the truststore when it's password-protected | `""` | +| `auth.tls.resources.limits` | The resources limits for the TLS init container | `{}` | +| `auth.tls.resources.requests` | The requested resources for the TLS init container | `{}` | +| `proxy` | reverse Proxy mode edge, reencrypt, passthrough or none | `passthrough` | +| `configuration` | Keycloak Configuration. Auto-generated based on other parameters when not specified | `""` | +| `existingConfigmap` | Name of existing ConfigMap with Keycloak configuration | `""` | +| `extraStartupArgs` | Extra default startup args | `""` | +| `initdbScripts` | Dictionary of initdb scripts | `{}` | +| `initdbScriptsConfigMap` | ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) | `""` | +| `command` | Override default container command (useful when using custom images) | `[]` | +| `args` | Override default container args (useful when using custom images) | `[]` | +| `extraEnvVars` | Extra environment variables to be set on Keycloak container | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `""` | ### Keycloak statefulset parameters diff --git a/bitnami/keycloak/ci/values-ha.yaml b/bitnami/keycloak/ci/values-ha.yaml index 4d631741b2..2edc716551 100644 --- a/bitnami/keycloak/ci/values-ha.yaml +++ b/bitnami/keycloak/ci/values-ha.yaml @@ -1,8 +1,3 @@ -serviceDiscovery: - enabled: true -cache: - ownersCount: 2 - authOwnersCount: 2 replicaCount: 2 rbac: create: true diff --git a/bitnami/keycloak/templates/NOTES.txt b/bitnami/keycloak/templates/NOTES.txt index acb9e0b936..46105b3750 100644 --- a/bitnami/keycloak/templates/NOTES.txt +++ b/bitnami/keycloak/templates/NOTES.txt @@ -15,7 +15,7 @@ To access Keycloak from outside the cluster execute the following commands: 1. Get the Keycloak URL and associate its hostname to your cluster external IP: export CLUSTER_IP=$(minikube ip) # On Minikube. Use: `kubectl cluster-info` on others K8s clusters - echo "Keycloak URL: http{{ if .Values.ingress.tls }}s{{ end }}://{{ .Values.ingress.hostname }}/auth" + echo "Keycloak URL: http{{ if .Values.ingress.tls }}s{{ end }}://{{ .Values.ingress.hostname }}/" echo "$CLUSTER_IP {{ .Values.ingress.hostname }}" | sudo tee -a /etc/hosts {{- else }} @@ -26,7 +26,7 @@ To access Keycloak from outside the cluster execute the following commands: export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }}) export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo "http://${NODE_IP}:${NODE_PORT}/auth" + echo "http://${NODE_IP}:${NODE_PORT}/" {{- else if contains "LoadBalancer" .Values.service.type }} @@ -35,13 +35,13 @@ To access Keycloak from outside the cluster execute the following commands: export SERVICE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].port}" services {{ include "common.names.fullname" . }}) export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo "http://${SERVICE_IP}:${SERVICE_PORT}/auth" + echo "http://${SERVICE_IP}:${SERVICE_PORT}/" {{- else if contains "ClusterIP" .Values.service.type }} export SERVICE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].port}" services {{ include "common.names.fullname" . }}) kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "common.names.fullname" . }} ${SERVICE_PORT}:${SERVICE_PORT} & - echo "http://127.0.0.1:${SERVICE_PORT}/auth" + echo "http://127.0.0.1:${SERVICE_PORT}/" {{- end }} {{- end }} diff --git a/bitnami/keycloak/templates/_helpers.tpl b/bitnami/keycloak/templates/_helpers.tpl index 3183a8bc13..1a7d8f6373 100644 --- a/bitnami/keycloak/templates/_helpers.tpl +++ b/bitnami/keycloak/templates/_helpers.tpl @@ -232,7 +232,6 @@ Compile all warnings into a single message. */}} {{- define "keycloak.validateValues" -}} {{- $messages := list -}} -{{- $messages := append $messages (include "keycloak.validateValues.replicaCount" .) -}} {{- $messages := append $messages (include "keycloak.validateValues.database" .) -}} {{- $messages := append $messages (include "keycloak.validateValues.auth.tls" .) -}} {{- $messages := without $messages "" -}} @@ -243,18 +242,6 @@ Compile all warnings into a single message. {{- end -}} {{- end -}} -{{/* Validate values of Keycloak - number of replicas */}} -{{- define "keycloak.validateValues.replicaCount" -}} -{{- $replicaCount := int .Values.replicaCount }} -{{- if and (not .Values.serviceDiscovery.enabled) (gt $replicaCount 1) -}} -keycloak: replicaCount - You need to configure the ServiceDiscovery settings to run more than 1 replica. - Enable the Service Discovery (--set serviceDiscovery.enabled=true) and - set the Service Discovery protocol (--set serviceDiscovery.protocol="FOO") and - the Service Discovery properties (--set serviceDiscovery.properties[0]="BAR") if needed. -{{- end -}} -{{- end -}} - {{/* Validate values of Keycloak - database */}} {{- define "keycloak.validateValues.database" -}} {{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.host) (not .Values.externalDatabase.existingSecret) -}} diff --git a/bitnami/keycloak/templates/configmap-env-vars.yaml b/bitnami/keycloak/templates/configmap-env-vars.yaml index 4a2631424b..3a8a936c83 100644 --- a/bitnami/keycloak/templates/configmap-env-vars.yaml +++ b/bitnami/keycloak/templates/configmap-env-vars.yaml @@ -16,19 +16,12 @@ data: KEYCLOAK_ADMIN_USER: {{ .Values.auth.adminUser | quote }} KEYCLOAK_MANAGEMENT_USER: {{ .Values.auth.managementUser | quote }} KEYCLOAK_HTTP_PORT: {{ .Values.containerPorts.http | quote }} - KEYCLOAK_PROXY_ADDRESS_FORWARDING: {{ ternary "true" "false" .Values.proxyAddressForwarding | quote }} + KEYCLOAK_PROXY: {{ .Values.proxy }} KEYCLOAK_ENABLE_STATISTICS: {{ ternary "true" "false" .Values.metrics.enabled | quote }} KEYCLOAK_DATABASE_HOST: {{ include "keycloak.databaseHost" . | quote }} KEYCLOAK_DATABASE_PORT: {{ include "keycloak.databasePort" . }} KEYCLOAK_DATABASE_NAME: {{ include "keycloak.databaseName" . | quote }} KEYCLOAK_DATABASE_USER: {{ include "keycloak.databaseUser" . | quote }} - {{- if .Values.serviceDiscovery.enabled }} - KEYCLOAK_JGROUPS_DISCOVERY_PROTOCOL: {{ .Values.serviceDiscovery.protocol | quote }} - KEYCLOAK_JGROUPS_DISCOVERY_PROPERTIES: {{ (tpl (join "," .Values.serviceDiscovery.properties) $) | quote }} - KEYCLOAK_JGROUPS_TRANSPORT_STACK: {{ .Values.serviceDiscovery.transportStack | quote }} - {{- end }} - KEYCLOAK_CACHE_OWNERS_COUNT: {{ .Values.cache.ownersCount | quote }} - KEYCLOAK_AUTH_CACHE_OWNERS_COUNT: {{ .Values.cache.authOwnersCount | quote }} KEYCLOAK_ENABLE_TLS: {{ ternary "true" "false" .Values.auth.tls.enabled | quote }} {{- if .Values.auth.tls.enabled }} KEYCLOAK_HTTPS_PORT: {{ .Values.containerPorts.https | quote }} diff --git a/bitnami/keycloak/templates/keycloak-config-cli-job.yaml b/bitnami/keycloak/templates/keycloak-config-cli-job.yaml index 17807e12ac..13cb3d0640 100644 --- a/bitnami/keycloak/templates/keycloak-config-cli-job.yaml +++ b/bitnami/keycloak/templates/keycloak-config-cli-job.yaml @@ -60,7 +60,7 @@ spec: {{- end }} env: - name: KEYCLOAK_URL - value: {{ printf "http://%s-headless:%d/auth" (include "keycloak.fullname" .) (.Values.containerPorts.http | int) }} + value: {{ printf "http://%s-headless:%d/" (include "keycloak.fullname" .) (.Values.containerPorts.http | int) }} - name: KEYCLOAK_USER value: {{ .Values.auth.adminUser | quote }} - name: KEYCLOAK_PASSWORD diff --git a/bitnami/keycloak/templates/statefulset.yaml b/bitnami/keycloak/templates/statefulset.yaml index 762c5a75c8..d47d8ac36d 100644 --- a/bitnami/keycloak/templates/statefulset.yaml +++ b/bitnami/keycloak/templates/statefulset.yaml @@ -294,7 +294,7 @@ spec: {{- if .Values.startupProbe.enabled }} startupProbe: {{- omit .Values.startupProbe "enabled" | toYaml | nindent 12 }} httpGet: - path: /auth/ + path: / port: http {{- else if .Values.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} @@ -302,7 +302,7 @@ spec: {{- if .Values.livenessProbe.enabled }} livenessProbe: {{- omit .Values.livenessProbe "enabled" | toYaml | nindent 12 }} httpGet: - path: /auth/ + path: / port: http {{- else if .Values.customLivenessProbe }} livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} @@ -310,7 +310,7 @@ spec: {{- if .Values.readinessProbe.enabled }} readinessProbe: {{- omit .Values.readinessProbe "enabled" | toYaml | nindent 12 }} httpGet: - path: /auth/realms/master + path: /realms/master port: http {{- else if .Values.customReadinessProbe }} readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} diff --git a/bitnami/keycloak/values.yaml b/bitnami/keycloak/values.yaml index 7d4c50f640..7bca0b2537 100644 --- a/bitnami/keycloak/values.yaml +++ b/bitnami/keycloak/values.yaml @@ -70,7 +70,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/keycloak - tag: 16.1.1-debian-10-r85 + tag: 17.0.1-debian-10-r0 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -201,42 +201,13 @@ auth: ## memory: 128Mi ## requests: {} -## @param proxyAddressForwarding Enable Proxy Address Forwarding -## ref: https://www.keycloak.org/docs/latest/server_installation/#_setting-up-a-load-balancer-or-proxy +## @param proxy reverse Proxy mode edge, reencrypt, passthrough or none +## ref: https://www.keycloak.org/server/reverseproxy ## -proxyAddressForwarding: false +proxy: passthrough ## Keycloak Service Discovery settings ## ref: https://github.com/bitnami/bitnami-docker-keycloak#cluster-configuration ## -serviceDiscovery: - ## @param serviceDiscovery.enabled Enable Service Discovery for Keycloak (required if `replicaCount` > `1`) - ## - enabled: false - ## @param serviceDiscovery.protocol Sets the protocol that Keycloak nodes would use to discover new peers - ## Available protocols can be found at http://www.jgroups.org/javadoc3/org/jgroups/protocols/ - ## - protocol: kubernetes.KUBE_PING - ## @param serviceDiscovery.properties Properties for the discovery protocol set in `serviceDiscovery.protocol` parameter - ## List of key=>value pairs - ## Example: - ## properties: - ## - datasource_jndi_name=>"java:jboss/datasources/KeycloakDS" - ## - initialize_sql=>"CREATE TABLE IF NOT EXISTS JGROUPSPING ( own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, created timestamp default current_timestamp, ping_data BYTEA, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))" - ## - properties: [] - ## @param serviceDiscovery.transportStack Transport stack for the discovery protocol set in `serviceDiscovery.protocol` parameter - ## - transportStack: tcp -## Keycloak cache settings -## ref: https://github.com/bitnami/bitnami-docker-keycloak#cluster-configuration -## -cache: - ## @param cache.ownersCount Number of nodes that will replicate cached data - ## - ownersCount: 1 - ## @param cache.authOwnersCount Number of nodes that will replicate cached authentication data - ## - authOwnersCount: 1 ## @param configuration Keycloak Configuration. Auto-generated based on other parameters when not specified ## Specify content for standalone-ha.xml ## NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart) @@ -804,7 +775,7 @@ keycloakConfigCli: image: registry: docker.io repository: bitnami/keycloak-config-cli - tag: 4.9.0-debian-10-r14 + tag: 5.2.0-debian-10-r3 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images