mirror of
https://github.com/bitnami/charts.git
synced 2026-03-07 08:07:55 +08:00
[bitnami/keycloak] Fix Ingress + TLS generation (#8772)
Signed-off-by: juan131 <juanariza@vmware.com>
This commit is contained in:
Juan Ariza Toledano
committed by
GitHub
GitHub
parent
241e4caaac
commit
c7272aeb46
@@ -26,4 +26,4 @@ name: keycloak
|
||||
sources:
|
||||
- https://github.com/bitnami/bitnami-docker-keycloak
|
||||
- https://github.com/keycloak/keycloak
|
||||
version: 6.0.1
|
||||
version: 6.1.0
|
||||
|
||||
@@ -201,6 +201,16 @@ Return true if a TLS secret object should be created
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if cert-manager required annotations for TLS signed certificates are set in the Ingress annotations
|
||||
Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
|
||||
*/}}
|
||||
{{- define "keycloak.ingress.certManagerRequest" -}}
|
||||
{{ if or (hasKey . "cert-manager.io/cluster-issuer") (hasKey . "cert-manager.io/issuer") }}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Compile all warnings into a single message.
|
||||
*/}}
|
||||
|
||||
@@ -9,34 +9,30 @@ metadata:
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.ingress.annotations .Values.commonAnnotations .Values.ingress.certManager }}
|
||||
annotations:
|
||||
{{- if .Values.ingress.certManager }}
|
||||
kubernetes.io/tls-acme: "true"
|
||||
{{- end }}
|
||||
{{- if .Values.ingress.annotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.ingress.annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.ingress.annotations }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.ingress.annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
{{- end }}
|
||||
rules:
|
||||
{{- if .Values.ingress.path }}
|
||||
- http:
|
||||
{{- if .Values.ingress.hostname }}
|
||||
- host: {{ .Values.ingress.hostname | quote }}
|
||||
http:
|
||||
paths:
|
||||
{{- if .Values.ingress.extraPaths }}
|
||||
{{- toYaml .Values.ingress.extraPaths | nindent 10 }}
|
||||
{{- end }}
|
||||
- path: {{ .Values.ingress.path }}
|
||||
{{- if eq "true" (include "common.ingress.supportsPathType" .) }}
|
||||
pathType: {{ .Values.ingress.pathType }}
|
||||
{{- end }}
|
||||
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "keycloak.fullname" .) "servicePort" .Values.ingress.servicePort "context" $) | nindent 14 }}
|
||||
{{- if .Values.ingress.hostname }}
|
||||
host: {{ .Values.ingress.hostname }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- range .Values.ingress.extraHosts }}
|
||||
- host: {{ .name }}
|
||||
@@ -48,19 +44,15 @@ spec:
|
||||
{{- end }}
|
||||
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "keycloak.fullname" $) "servicePort" $.Values.ingress.servicePort "context" $) | nindent 14 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.ingress.tls .Values.ingress.extraTls }}
|
||||
{{- if or (and .Values.ingress.tls (or (include "keycloak.ingress.certManagerRequest" .Values.ingress.annotations) .Values.ingress.selfSigned)) .Values.ingress.extraTls }}
|
||||
tls:
|
||||
{{- if .Values.ingress.tls }}
|
||||
{{- if and .Values.ingress.tls (or (include "keycloak.ingress.certManagerRequest" .Values.ingress.annotations) .Values.ingress.selfSigned) }}
|
||||
- hosts:
|
||||
- {{ .Values.ingress.hostname }}
|
||||
{{- if .Values.ingress.existingSecret }}
|
||||
secretName: {{ .Values.ingress.existingSecret }}
|
||||
{{- else }}
|
||||
- {{ .Values.ingress.hostname | quote }}
|
||||
secretName: {{ printf "%s-tls" .Values.ingress.hostname }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.ingress.extraTls }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.ingress.extraTls "context" $ ) | nindent 4 }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
@@ -19,7 +19,8 @@ data:
|
||||
tls.key: {{ .key | b64enc }}
|
||||
---
|
||||
{{- end }}
|
||||
{{- else if and .Values.ingress.tls (not .Values.ingress.certManager) }}
|
||||
{{- end }}
|
||||
{{- if and .Values.ingress.tls .Values.ingress.selfSigned }}
|
||||
{{- $ca := genCA "keycloak-ca" 365 }}
|
||||
{{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }}
|
||||
apiVersion: v1
|
||||
|
||||
@@ -664,62 +664,68 @@ service:
|
||||
## @param service.annotations Annotations for Keycloak service
|
||||
##
|
||||
annotations: {}
|
||||
## Ingress configuration
|
||||
## Keycloak ingress parameters
|
||||
## ref: https://kubernetes.io/docs/user-guide/ingress/
|
||||
##
|
||||
ingress:
|
||||
## @param ingress.enabled Enable ingress controller resource
|
||||
## @param ingress.enabled Enable ingress record generation for Keycloak
|
||||
##
|
||||
enabled: false
|
||||
## DEPRECATED: Use ingress.annotations instead of ingress.certManager
|
||||
## certManager: false
|
||||
##
|
||||
|
||||
## @param ingress.hostname Default host for the ingress resource
|
||||
##
|
||||
hostname: keycloak.local
|
||||
## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
|
||||
##
|
||||
apiVersion: ""
|
||||
## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
|
||||
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster
|
||||
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
|
||||
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
|
||||
##
|
||||
ingressClassName: ""
|
||||
## @param ingress.path Ingress path
|
||||
##
|
||||
path: /
|
||||
## @param ingress.pathType Ingress path type
|
||||
##
|
||||
pathType: ImplementationSpecific
|
||||
## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
|
||||
## For a full list of possible ingress annotations, please see
|
||||
## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md
|
||||
## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
|
||||
##
|
||||
apiVersion: ""
|
||||
## @param ingress.hostname Default host for the ingress record
|
||||
##
|
||||
hostname: keycloak.local
|
||||
## @param ingress.path Default path for the ingress record
|
||||
##
|
||||
path: /
|
||||
## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
|
||||
## Use this parameter to set the required annotations for cert-manager, see
|
||||
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
|
||||
##
|
||||
## e.g:
|
||||
## annotations:
|
||||
## kubernetes.io/ingress.class: nginx
|
||||
## cert-manager.io/cluster-issuer: cluster-issuer-name
|
||||
##
|
||||
annotations: {}
|
||||
## @param ingress.tls Enable TLS configuration for the hostname defined at `ingress.hostname` parameter
|
||||
## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }}
|
||||
## You can use the ingress.secrets parameter to create this TLS secret, relay on cert-manager to create it, or
|
||||
## let the chart create self-signed certificates for you
|
||||
## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
|
||||
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
|
||||
## You can:
|
||||
## - Use the `ingress.secrets` parameter to create this TLS secret
|
||||
## - Relay on cert-manager to create it by setting the corresponding annotations
|
||||
## - Relay on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
|
||||
##
|
||||
tls: false
|
||||
## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record.
|
||||
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
|
||||
## Example:
|
||||
## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
|
||||
##
|
||||
selfSigned: false
|
||||
## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
|
||||
## e.g:
|
||||
## extraHosts:
|
||||
## - name: keycloak.local
|
||||
## path: /
|
||||
##
|
||||
extraHosts: []
|
||||
## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host.
|
||||
## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
|
||||
## extraPaths:
|
||||
## - path: /*
|
||||
## backend:
|
||||
## serviceName: ssl-redirect
|
||||
## servicePort: use-annotation
|
||||
##
|
||||
extraPaths: []
|
||||
## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
|
||||
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
|
||||
## Example:
|
||||
## extraTls:
|
||||
## - hosts:
|
||||
## - keycloak.local
|
||||
@@ -727,27 +733,25 @@ ingress:
|
||||
##
|
||||
extraTls: []
|
||||
## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
|
||||
## key and certificate should start with -----BEGIN CERTIFICATE----- or -----BEGIN RSA PRIVATE KEY-----
|
||||
## name should line up with a secretName set further up
|
||||
## key and certificate should start with -----BEGIN CERTIFICATE----- or
|
||||
## -----BEGIN RSA PRIVATE KEY-----
|
||||
##
|
||||
## name should line up with a tlsSecret set further up
|
||||
## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
|
||||
##
|
||||
## If it is not set and you're using cert-manager, this is unneeded, as it will create the secret for you
|
||||
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created
|
||||
## It is also possible to create and manage the certificates outside of this helm chart
|
||||
## Please see README.md for more information
|
||||
##
|
||||
## Example
|
||||
## secrets:
|
||||
## - name: aspnet-core.local-tls
|
||||
## key: ""
|
||||
## certificate: ""
|
||||
## e.g:
|
||||
## - name: keycloak.local-tls
|
||||
## key:
|
||||
## certificate:
|
||||
##
|
||||
secrets: []
|
||||
## @param ingress.existingSecret It is you own the certificate as secret.
|
||||
existingSecret: ""
|
||||
## @param ingress.servicePort Service port to be used
|
||||
## Default is http. Alternative is https.
|
||||
##
|
||||
servicePort: http
|
||||
|
||||
## Network Policy configuration
|
||||
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
|
||||
##
|
||||
|
||||
Reference in New Issue
Block a user