Add support for automated TLS certificates in Keycloak
This update introduces significant enhancements to the Keycloak chart, particularly regarding TLS certificate management. The changes include: - Added the capability to automatically generate and manage TLS certificates using Cert-Manager or Helm, improving the security posture by using self-signed certificates in development scenarios. - Implemented a dedicated ConfigMap to hold keycloak-config-cli configurations and ensured that it is integrated with the job for configuration synchronization. - Enhanced the handling of admin ingress settings and TLS secrets, facilitating smoother access and management for multi-host deployments. - Refactored and reorganized sections to improve readability and maintainability of templates, ensuring adherence to best practices in Helm charts. These improvements aim to streamline deployment, enhance security features, and simplify the management of certificates, facilitating easier Kubernetes operations for users.
This commit is contained in:
@@ -8,102 +8,78 @@ kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-env-vars" (include "common.names.fullname" .) }}
|
||||
namespace: {{ include "common.names.namespace" . | quote }}
|
||||
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" .) | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
app.kubernetes.io/part-of: keycloak
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
annotations: {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" .) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
BITNAMI_DEBUG: {{ ternary "true" "false" .Values.image.debug | quote }}
|
||||
KEYCLOAK_PRODUCTION: {{ ternary "true" "false" .Values.production | quote }}
|
||||
KC_LOG_LEVEL: {{ .Values.logging.level | quote }}
|
||||
KC_LOG_CONSOLE_OUTPUT: {{ .Values.logging.output | quote }}
|
||||
KC_BOOTSTRAP_ADMIN_USERNAME: {{ .Values.auth.adminUser | quote }}
|
||||
KEYCLOAK_HTTP_PORT: {{ .Values.containerPorts.http | quote }}
|
||||
{{- if and .Values.proxy (empty .Values.proxyHeaders) }}
|
||||
KEYCLOAK_PROXY_HEADERS: {{ ternary "" "xforwarded" (eq .Values.proxy "passthrough") | quote }}
|
||||
{{- else }}
|
||||
KEYCLOAK_PROXY_HEADERS: {{ .Values.proxyHeaders | quote }}
|
||||
{{- if .Values.usePasswordFiles }}
|
||||
KC_BOOTSTRAP_ADMIN_PASSWORD_FILE: {{ printf "/opt/bitnami/keycloak/secrets/%s" (include "keycloak.secretKey" .) }}
|
||||
{{- end }}
|
||||
{{- if and .Values.adminIngress.enabled .Values.adminIngress.hostname }}
|
||||
KEYCLOAK_HOSTNAME_ADMIN: |-
|
||||
{{ ternary "https://" "http://" ( or .Values.adminIngress.tls (eq .Values.proxy "edge") (not (empty .Values.proxyHeaders)) ) -}} {{- include "common.tplvalues.render" (dict "value" .Values.adminIngress.hostname "context" $) -}}
|
||||
{{- if eq .Values.adminIngress.controller "default" }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.adminIngress.path "context" $) }}
|
||||
{{- else if eq .Values.adminIngress.controller "gce" }}
|
||||
{{- $path := .Values.adminIngress.path -}}
|
||||
{{- if hasSuffix "*" $path -}}
|
||||
{{- $path = trimSuffix "*" $path -}}
|
||||
{{- end -}}
|
||||
{{- include "common.tplvalues.render" (dict "value" $path "context" $) }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if and .Values.ingress.enabled .Values.ingress.hostname }}
|
||||
KEYCLOAK_HOSTNAME: |-
|
||||
{{ ternary "https://" "http://" ( or .Values.ingress.tls (eq .Values.proxy "edge") (not (empty .Values.proxyHeaders)) ) -}} {{- include "common.tplvalues.render" (dict "value" .Values.ingress.hostname "context" $) -}}
|
||||
{{- if eq .Values.ingress.controller "default" }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.ingress.path "context" $) }}
|
||||
{{- else if eq .Values.ingress.controller "gce" }}
|
||||
{{- $path := .Values.ingress.path -}}
|
||||
{{- if hasSuffix "*" $path -}}
|
||||
{{- $path = trimSuffix "*" $path -}}
|
||||
{{- end -}}
|
||||
{{- include "common.tplvalues.render" (dict "value" $path "context" $) }}
|
||||
{{- end }}
|
||||
KC_HTTP_PORT: {{ .Values.containerPorts.http | quote }}
|
||||
KC_HTTP_MANAGEMENT_PORT: {{ .Values.containerPorts.management | quote }}
|
||||
KC_HTTP_ENABLED: {{ ternary "true" "false" (or .Values.httpEnabled (not .Values.tls.enabled)) | quote }}
|
||||
{{- if .Values.proxyHeaders }}
|
||||
KC_PROXY_HEADERS: {{ .Values.proxyHeaders | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.ingress.enabled }}
|
||||
KEYCLOAK_HOSTNAME_STRICT: {{ ternary "true" "false" .Values.ingress.hostnameStrict | quote }}
|
||||
KC_HOSTNAME_STRICT: {{ ternary "true" "false" .Values.hostnameStrict | quote }}
|
||||
{{- if .Values.ingress.hostname }}
|
||||
{{- $path := tpl .Values.ingress.path . }}
|
||||
{{- if and (eq .Values.ingress.controller "gce") (hasSuffix "*" $path) }}
|
||||
{{- $path = trimSuffix "*" $path }}
|
||||
{{- end }}
|
||||
KEYCLOAK_ENABLE_STATISTICS: {{ ternary "true" "false" .Values.metrics.enabled | quote }}
|
||||
{{- if not .Values.externalDatabase.existingSecretHostKey }}
|
||||
KEYCLOAK_DATABASE_HOST: {{ include "keycloak.databaseHost" . | quote }}
|
||||
KC_HOSTNAME: {{ printf "%s://%s%s" (ternary "https" "http" (or .Values.ingress.tls (not (empty .Values.proxyHeaders)))) (tpl .Values.ingress.hostname .) $path | quote }}
|
||||
{{- end }}
|
||||
{{- if not .Values.externalDatabase.existingSecretPortKey }}
|
||||
KEYCLOAK_DATABASE_PORT: {{ include "keycloak.databasePort" . }}
|
||||
{{- end }}
|
||||
KC_METRICS_ENABLED: {{ ternary "true" "false" .Values.metrics.enabled | quote }}
|
||||
KC_DB_URL: {{ printf "jdbc:postgresql://%s:%d/%s?currentSchema=%s%s" (include "keycloak.database.host" .) (include "keycloak.database.port" . | int) (include "keycloak.database.name" .) (include "keycloak.database.schema" .) (include "keycloak.database.extraParams" .) | quote }}
|
||||
KC_DB_SCHEMA: {{ include "keycloak.database.schema" . | quote }}
|
||||
{{- if .Values.usePasswordFiles }}
|
||||
KC_DB_PASSWORD_FILE: {{ printf "/opt/bitnami/keycloak/secrets/db-%s" (include "keycloak.database.secretPasswordKey" .) }}
|
||||
{{- if .Values.externalDatabase.existingSecretUserKey }}
|
||||
KC_DB_USERNAME_FILE: {{ printf "/opt/bitnami/keycloak/secrets/db-%s" (include "keycloak.database.secretUserKey" .) }}
|
||||
{{- end }}
|
||||
{{- if not .Values.externalDatabase.existingSecretDatabaseKey }}
|
||||
KEYCLOAK_DATABASE_NAME: {{ include "keycloak.databaseName" . | quote }}
|
||||
{{- end }}
|
||||
{{- if not (and .Values.externalDatabase.existingSecret .Values.externalDatabase.existingSecretUserKey) }}
|
||||
KC_DB_USERNAME: {{ include "keycloak.database.user" . | quote }}
|
||||
{{- end }}
|
||||
KEYCLOAK_DATABASE_SCHEMA: {{ include "keycloak.databaseSchema" . }}
|
||||
{{- if not .Values.externalDatabase.existingSecretUserKey }}
|
||||
KEYCLOAK_DATABASE_USER: {{ include "keycloak.databaseUser" . | quote }}
|
||||
{{- end }}
|
||||
KEYCLOAK_PRODUCTION: {{ ternary "true" "false" .Values.production | quote }}
|
||||
KEYCLOAK_ENABLE_HTTPS: {{ ternary "true" "false" .Values.tls.enabled | quote }}
|
||||
{{- if .Values.customCaExistingSecret }}
|
||||
KC_TRUSTSTORE_PATHS: "/opt/bitnami/keycloak/custom-ca"
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
KEYCLOAK_HTTPS_PORT: {{ .Values.containerPorts.https | quote }}
|
||||
KEYCLOAK_HTTPS_USE_PEM: {{ ternary "true" "false" (or .Values.tls.usePem .Values.tls.autoGenerated) | quote }}
|
||||
{{- if or .Values.tls.usePem .Values.tls.autoGenerated }}
|
||||
KEYCLOAK_HTTPS_CERTIFICATE_FILE: "/opt/bitnami/keycloak/certs/tls.crt"
|
||||
KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE: "/opt/bitnami/keycloak/certs/tls.key"
|
||||
{{- if .Values.tls.enabled }}
|
||||
KEYCLOAK_ENABLE_HTTPS: "true"
|
||||
KC_HTTPS_PORT: {{ .Values.containerPorts.https | quote }}
|
||||
{{- if or .Values.tls.usePemCerts .Values.tls.autoGenerated.enabled }}
|
||||
KEYCLOAK_HTTPS_USE_PEM: "true"
|
||||
KC_HTTPS_CERTIFICATE_FILE: {{ printf "/opt/bitnami/keycloak/certs/%s" (ternary "tls.crt" .Values.tls.certFilename .Values.tls.autoGenerated.enabled) | quote }}
|
||||
KC_HTTPS_CERTIFICATE_KEY_FILE: {{ printf "/opt/bitnami/keycloak/certs/%s" (ternary "tls.key" .Values.tls.certKeyFilename .Values.tls.autoGenerated.enabled) | quote }}
|
||||
{{- else }}
|
||||
KEYCLOAK_HTTPS_KEY_STORE_FILE: {{ printf "/opt/bitnami/keycloak/certs/%s" .Values.tls.keystoreFilename | quote }}
|
||||
KEYCLOAK_HTTPS_TRUST_STORE_FILE: {{ printf "/opt/bitnami/keycloak/certs/%s" .Values.tls.truststoreFilename | quote }}
|
||||
KC_HTTPS_KEY_STORE_FILE: {{ printf "/opt/bitnami/keycloak/certs/%s" .Values.tls.keystoreFilename | quote }}
|
||||
KC_HTTPS_TRUST_STORE_FILE: {{ printf "/opt/bitnami/keycloak/certs/%s" .Values.tls.truststoreFilename | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.trustedCertsExistingSecret }}
|
||||
KC_TRUSTSTORE_PATHS: "/opt/bitnami/keycloak/truststore"
|
||||
{{- end }}
|
||||
{{- if .Values.spi.existingSecret }}
|
||||
{{- if .Values.spi.hostnameVerificationPolicy }}
|
||||
KEYCLOAK_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY: {{ .Values.spi.hostnameVerificationPolicy | quote }}
|
||||
{{- end }}
|
||||
KEYCLOAK_SPI_TRUSTSTORE_FILE: {{ printf "/opt/bitnami/keycloak/spi-certs/%s" .Values.spi.truststoreFilename }}
|
||||
{{- end }}
|
||||
{{- if .Values.cache.enabled }}
|
||||
KC_CACHE_TYPE: "ispn"
|
||||
KC_CACHE: {{ ternary "ispn" "local" .Values.cache.enabled | quote }}
|
||||
{{- if .Values.cache.enabled }}
|
||||
{{- if .Values.cache.stack }}
|
||||
KC_CACHE_STACK: {{ .Values.cache.stack | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.cache.configFile }}
|
||||
KC_CACHE_CONFIG_FILE: {{ .Values.cache.configFile | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.cache.useHeadlessServiceWithAppVersion }}
|
||||
JAVA_OPTS_APPEND: {{ printf "-Djgroups.dns.query=%s-headless-ispn-%s.%s.svc.%s" (include "common.names.fullname" .) (replace "." "-" .Chart.AppVersion) (include "common.names.namespace" .) .Values.clusterDomain | quote }}
|
||||
{{- else }}
|
||||
JAVA_OPTS_APPEND: {{ printf "-Djgroups.dns.query=%s-headless.%s.svc.%s" (include "common.names.fullname" .) (include "common.names.namespace" .) .Values.clusterDomain | quote }}
|
||||
JAVA_OPTS_APPEND: {{ printf "-Djgroups.dns.query=%s.%s.svc.%s" (ternary (include "keycloak.headless.ispn.serviceName" .) (include "keycloak.headless.serviceName" .) .Values.cache.useHeadlessServiceWithAppVersion) (include "common.names.namespace" .) .Values.clusterDomain | quote }}
|
||||
{{- end }}
|
||||
KC_HTTP_RELATIVE_PATH: {{ .Values.httpRelativePath | quote }}
|
||||
{{- if .Values.adminRealm }}
|
||||
KC_SPI_ADMIN_REALM: {{ .Values.adminRealm | quote }}
|
||||
{{- end }}
|
||||
{{- else }}
|
||||
KC_CACHE_TYPE: "local"
|
||||
{{- if .Values.extraStartupArgs }}
|
||||
KEYCLOAK_EXTRA_ARGS: {{ .Values.extraStartupArgs | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.logging }}
|
||||
KEYCLOAK_LOG_OUTPUT: {{ .Values.logging.output | quote }}
|
||||
KEYCLOAK_LOG_LEVEL: {{ .Values.logging.level | quote }}
|
||||
{{- end }}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user