marko/HelmChartSammlung
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
20977bbc8664ba449f0b6f16a6fa69d1f2f363a1
HelmChartSammlung/charts/keycloak/templates/_helpers.tpl
Marko Oldenburg ba8d52be03 Add support for automated TLS certificates in Keycloak 
This update introduces significant enhancements to the Keycloak chart,
particularly regarding TLS certificate management. The changes include:

- Added the capability to automatically generate and manage TLS certificates
  using Cert-Manager or Helm, improving the security posture by using
  self-signed certificates in development scenarios.
- Implemented a dedicated ConfigMap to hold keycloak-config-cli
  configurations and ensured that it is integrated with the job for
  configuration synchronization.
- Enhanced the handling of admin ingress settings and TLS secrets,
  facilitating smoother access and management for multi-host deployments.
- Refactored and reorganized sections to improve readability and maintainability
  of templates, ensuring adherence to best practices in Helm charts.

These improvements aim to streamline deployment, enhance security features,
and simplify the management of certificates, facilitating easier
Kubernetes operations for users.
2025-08-31 09:40:48 +02:00

278 lines
9.1 KiB
Smarty
Raw Blame History

{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/*
Return the proper Keycloak image name
*/}}
{{- define "keycloak.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper keycloak-config-cli image name
*/}}
{{- define "keycloak.keycloakConfigCli.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.keycloakConfigCli.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "keycloak.imagePullSecrets" -}}
{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.keycloakConfigCli.image) "context" .) -}}
{{- end -}}
{{/*
Create a default fully qualified postgresql name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "keycloak.postgresql.fullname" -}}
{{- include "common.names.dependency.fullname" (dict "chartName" "postgresql" "chartValues" .Values.postgresql "context" .) -}}
{{- end -}}
{{/*
Create a default fully qualified headless service name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "keycloak.headless.serviceName" -}}
{{- printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified headless service name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "keycloak.headless.ispn.serviceName" -}}
{{- printf "%s-headless-ispn-%s" (include "common.names.fullname" .) (replace "." "-" .Chart.AppVersion) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "keycloak.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the Keycloak configuration ConfigMap name.
*/}}
{{- define "keycloak.configmapName" -}}
{{- if .Values.existingConfigmap -}}
{{- tpl .Values.existingConfigmap . -}}
{{- else -}}
{{- printf "%s-configuration" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return the secret containing the Keycloak admin password
*/}}
{{- define "keycloak.secretName" -}}
{{- if .Values.auth.existingSecret -}}
{{- tpl .Values.auth.existingSecret . -}}
{{- else -}}
{{- include "common.names.fullname" . -}}
{{- end -}}
{{- end -}}
{{/*
Return the secret key that contains the Keycloak admin password
*/}}
{{- define "keycloak.secretKey" -}}
{{- if and .Values.auth.existingSecret .Values.auth.passwordSecretKey -}}
{{- tpl .Values.auth.passwordSecretKey . -}}
{{- else -}}
{{- print "admin-password" -}}
{{- end -}}
{{- end -}}
{{/*
Return the keycloak-config-cli configuration ConfigMap name.
*/}}
{{- define "keycloak.keycloakConfigCli.configmapName" -}}
{{- if .Values.keycloakConfigCli.existingConfigmap -}}
{{- tpl .Values.keycloakConfigCli.existingConfigmap . -}}
{{- else -}}
{{- printf "%s-keycloak-config-cli-configmap" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return the Database hostname
*/}}
{{- define "keycloak.database.host" -}}
{{- if .Values.postgresql.enabled -}}
{{- include "keycloak.postgresql.fullname" . -}}{{- if eq .Values.postgresql.architecture "replication" }}-primary{{- end -}}
{{- else -}}
{{- tpl .Values.externalDatabase.host . -}}
{{- end -}}
{{- end -}}
{{/*
Return the Database port
*/}}
{{- define "keycloak.database.port" -}}
{{- ternary "5432" .Values.externalDatabase.port .Values.postgresql.enabled -}}
{{- end -}}
{{/*
Return the Database database name
*/}}
{{- define "keycloak.database.name" -}}
{{- if .Values.postgresql.enabled }}
{{- coalesce (((.Values.global).postgresql).auth).database .Values.postgresql.auth.database "postgres" -}}
{{- else -}}
{{- tpl .Values.externalDatabase.database . -}}
{{- end -}}
{{- end -}}
{{/*
Return the Database user
*/}}
{{- define "keycloak.database.user" -}}
{{- if .Values.postgresql.enabled -}}
{{- coalesce (((.Values.global).postgresql).auth).username .Values.postgresql.auth.username | default "" -}}
{{- else -}}
{{- tpl .Values.externalDatabase.user . -}}
{{- end -}}
{{- end -}}
{{/*
Return the Database schema
*/}}
{{- define "keycloak.database.schema" -}}
{{- ternary "public" .Values.externalDatabase.schema .Values.postgresql.enabled -}}
{{- end -}}
{{/*
Return extra connection parameters for the Database DSN
*/}}
{{- define "keycloak.database.extraParams" -}}
{{- if .Values.externalDatabase.extraParams -}}
{{- printf "&%s" (tpl .Values.externalDatabase.extraParams .) -}}
{{- end -}}
{{- end -}}
{{/*
Return the Database secret name
*/}}
{{- define "keycloak.database.secretName" -}}
{{- if .Values.postgresql.enabled -}}
{{- if not (empty (coalesce (((.Values.global).postgresql).auth).existingSecret .Values.postgresql.auth.existingSecret | default "")) -}}
{{- tpl (coalesce (((.Values.global).postgresql).auth).existingSecret .Values.postgresql.auth.existingSecret) . -}}
{{- else -}}
{{- include "keycloak.postgresql.fullname" . -}}
{{- end -}}
{{- else if not (empty .Values.externalDatabase.existingSecret) -}}
{{- tpl .Values.externalDatabase.existingSecret . -}}
{{- else -}}
{{- printf "%s-externaldb" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return the Database secret key that contains the database user
*/}}
{{- define "keycloak.database.secretUserKey" -}}
{{- default "db-user" .Values.externalDatabase.existingSecretUserKey -}}
{{- end -}}
{{/*
Return the Database secret key that contains the database password
*/}}
{{- define "keycloak.database.secretPasswordKey" -}}
{{- if .Values.postgresql.enabled -}}
{{- default "password" .Values.postgresql.auth.secretKeys.userPasswordKey -}}
{{- else if .Values.externalDatabase.existingSecret -}}
{{- default "db-password" .Values.externalDatabase.existingSecretPasswordKey -}}
{{- else -}}
{{- print "db-password" -}}
{{- end -}}
{{- end -}}
{{/*
Return the Keycloak initdb scripts ConfigMap name.
*/}}
{{- define "keycloak.initdbScripts.configmapName" -}}
{{- if .Values.initdbScriptsConfigMap -}}
{{- tpl .Values.initdbScriptsConfigMap . -}}
{{- else -}}
{{- printf "%s-init-scripts" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return the secret containing Keycloak HTTPS/TLS certificates
*/}}
{{- define "keycloak.tls.secretName" -}}
{{- if .Values.tls.existingSecret -}}
{{- tpl .Values.tls.existingSecret . -}}
{{- else -}}
{{- printf "%s-crt" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return the secret containing Keycloak HTTPS/TLS keystore and truststore passwords
*/}}
{{- define "keycloak.tls.passwordsSecretName" -}}
{{- if .Values.tls.passwordsSecret -}}
{{- tpl .Values.tls.passwordsSecret . -}}
{{- else -}}
{{- printf "%s-tls-passwords" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Compile all warnings into a single message.
*/}}
{{- define "keycloak.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "keycloak.validateValues.database" .) -}}
{{- $messages := append $messages (include "keycloak.validateValues.tls" .) -}}
{{- $messages := append $messages (include "keycloak.validateValues.production" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
{{- end -}}
{{- end -}}
{{/* Validate values of Keycloak - database */}}
{{- define "keycloak.validateValues.database" -}}
{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.host) -}}
keycloak: database
You disabled the PostgreSQL sub-chart but did not specify an external PostgreSQL host.
Either deploy the PostgreSQL sub-chart (--set postgresql.enabled=true),
or set a value for the external database host (--set externalDatabase.host=FOO)
and set a value for the external database password (--set externalDatabase.password=BAR)
or existing secret (--set externalDatabase.existingSecret=BAR).
{{- end -}}
{{- end -}}
{{/* Validate values of Keycloak - TLS enabled */}}
{{- define "keycloak.validateValues.tls" -}}
{{- if and .Values.tls.enabled (not .Values.tls.autoGenerated.enabled) (not .Values.tls.existingSecret) }}
keycloak: tls.enabled
In order to enable TLS, you need to provide a secret with the TLS
certificates (--set tls.existingSecret=FOO) or enable auto-generated
TLS certificates (--set tls.autoGenerated.enabled=true).
{{- end -}}
{{- end -}}
{{/* Validate values of Keycloak - Production mode enabled */}}
{{- define "keycloak.validateValues.production" -}}
{{- if and .Values.production (not .Values.tls.enabled) (empty .Values.proxyHeaders) -}}
keycloak: production
In order to enable Production mode, you also need to enable
HTTPS/TLS (--set tls.enabled=true) or use proxy headers (--set proxyHeaders=FOO).
{{- end -}}
{{- end -}}
Reference in New Issue View Git Blame Copy Permalink