- mariadb: manifest was not synced by ArgoCD, as entry for securityContext was wrong
- authentication: wrong keycloak-config-cli version and implementation
- so: added annotation for ArgoCD in job
Issue-ID: OOM-3330
Change-Id: I6f573defe2f44b625027325f318e63fca1846e3c
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
# limitations under the License.
# ============LICENSE_END=========================================================
apiVersion: v2
-version: 15.0.0
+version: 15.0.1
description: ONAP Realm creation, Oauth2Proxy installation and configuration
name: authentication
sources:
- https://github.com/adorsys/keycloak-config-cli
-# Keycloakx chart version: 1.6.0
dependencies:
- name: common
version: ~13.x-0
version: ~13.x-0
repository: '@local'
- name: onap-keycloak-config-cli
- version: 6.1.6
+ version: 6.2.1
repository: 'file://components/keycloak-config-cli'
- name: onap-oauth2-proxy
version: 7.8.0
accessTokenLifespan: - (optional) Access Tolek Lifespan (default: 1900)
registrationAllowed: - (optional) Enable/disable the registration page (default: false)
resetPasswordAllowed: - (optional) Show a link on login page for user to click when they have forgotten their credentials (default: true)
+ passwordPolicy: - (optional) Set Password policies, e.g.
+ "length(8) and specialChars(1) and upperCase(1) and lowerCase(1) and digits(1) and notUsername(undefined)
+ and notEmail(undefined) and notContainsUsername(undefined) and passwordHistory(3)"
sslRequired: - (optional) Is HTTPS required? ('None'|'External'|'All requests' (default: "external")
themes: - (optional) Keycloak Theme settings
login: <login theme> - (optional) Keycloak Theme for Login UI (e.g. "base")
name: onap-keycloak-config-cli
description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak.
home: https://github.com/adorsys/keycloak-config-cli
-version: 6.1.6
-appVersion: 6.1.6
+version: 6.2.1
+appVersion: 6.2.1
maintainers:
- name: jkroepke
email: joe@adorsys.de
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.resources }}
resources:
- {{- toYaml . | nindent 10 }}
+ {{- toYaml . | nindent 12 }}
{{- end }}
env:
{{- range $name, $value := .Values.env }}
secretKeyRef:
name: "{{ tpl .Values.existingSecret . }}"
key: "{{ .Values.existingSecretKey }}"
- {{- end }}
- {{- with .Values.securityContext }}
+ {{- end }}
+ {{- if .Values.existingSecrets }}
+ {{- range .Values.existingSecrets }}
+ - name: {{ .envVar }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ .name }}
+ key: {{ .key }}
+ {{- end }}
+ {{- end }}
+ {{- with .Values.containerSecurityContext }}
securityContext:
- {{- toYaml . | nindent 10 }}
+ {{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- name: config
{{- with .Values.extraVolumeMounts }}
{{- tpl . $ | nindent 12 }}
{{- end }}
- {{ include "common.waitForJobContainer" . | indent 8 | trim }}
volumes:
- name: config
secret:
{{- with .Values.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
- {{- end }}
+ {{- end }}
## Extra Annotations to be added to pod
podAnnotations: {}
+# New section for existing secrets
+existingSecrets:
+# - name: my-existing-secret
+# key: my-secret-key
+# envVar: MY_ENV_VAR
config: {}
# <realm name>:
# Add additional volumes mounts, e. g. for custom secrets
extraVolumeMounts: ""
-
-wait_for_job_container:
- containers:
- - 'keycloak-config-cli'
imageRegistry: docker.io
imagePullSecrets:
- '{{ include "common.names.namespace" . }}-docker-registry-key'
+
+ # Workaround to avoid redis restarts with ArgoCD
+ redis:
+ password: "32ugd3783rhfjdhow"
# *************************************************
## Override the deployment namespace
{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}}
realm: {{ $realm.name }}
{{ if $realm.displayName }}displayName: {{ $realm.displayName }}{{ end }}
-id: {{ $realm.name }}
accessTokenLifespan: {{ default "1900" $realm.accessTokenLifespan }}
registrationAllowed: {{ default false $realm.registrationAllowed }}
resetPasswordAllowed: {{ default true $realm.resetPasswordAllowed }}
+{{ if $realm.passwordPolicy }}passwordPolicy: {{ $realm.passwordPolicy }}{{ end }}
sslRequired: {{ default "external" $realm.sslRequired }}
enabled: true
{{ if $realm.themes }}
metadata:
name: keycloak-config-cli-config-realms
namespace: {{ include "common.namespace" . }}
- labels:
- app: {{ include "common.name" . }}
- chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- release: {{ include "common.release" . }}
- heritage: {{ .Release.Service }}
+ labels: {{- include "common.labels" . | nindent 4 }}
data:
{{- $dot := . }}
{{- range $realm := .Values.realmSettings }}
# "edge" is the latest build release and need to be replaced with a new version
# compatible with keycloak 26.x.y
tag: edge
- #tag: "6.1.6-25.0.1"
+ tag: "6.2.1-26.0.5"
pullSecrets:
- name: onap-docker-registry-key
+
+ annotations:
+ # This is what defines this resource as a hook. Without this line, the
+ # job is considered part of the release.
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+ helm.sh/hook: post-install,pre-upgrade,pre-rollback
+ helm.sh/hook-weight: "1"
+ helm.sh/hook-delete-policy: before-hook-creation
+
#existingSecret: "keycloak-keycloakx-admin-creds"
env:
# internal KC URL plus relative path
authDelegatorRoleName: {{ $dbinst }}-auth
gracefulShutdownTimeout: 5s
securityContext:
- readOnlyFileSystem: true
+ readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
release: {{ include "common.release" . }}
heritage: {{ .Release.Service }}
annotations:
- "helm.sh/hook": pre-upgrade,pre-install
- "helm.sh/hook-weight": "1"
- "helm.sh/hook-delete-policy": before-hook-creation
+ argocd.argoproj.io/hook: Sync
+ argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+ helm.sh/hook: post-install,pre-upgrade,post-rollback
+ helm.sh/hook-weight: "1"
+ helm.sh/hook-delete-policy: before-hook-creation
spec:
backoffLimit: 20
template:
Code Review / oom.git / commitdiff