fix(ingress): Fix ingress issue & add support of PVC

yyvess · Jan 31, 2024 · ddbc1ce · ddbc1ce
1 parent 1aa7545
commit ddbc1ce
Show file tree

Hide file tree

Showing 24 changed files with 757 additions and 47 deletions.
diff --git a/samples/ha/postgres-istio-values.cue b/samples/ha/postgres-istio-values.cue
@@ -47,7 +47,7 @@ values: {
 		password: {value: "FIXME-USE-SECRET"}
 	}
 	database: {
-		type: {value: "postgres"}
+		type: "postgres"
 		url: {value: "jdbc:postgresql://keycloak.postgres.svc.cluster.local/keycloakdb?sslmode=require"}
 		username: {
 			valueFrom: {

diff --git a/samples/minimum/ingress-pvc-values.cue b/samples/minimum/ingress-pvc-values.cue
@@ -0,0 +1,76 @@
+//
+// Keycloak deployment minimum requirdement
+//
+// ! Not for prodution usage, Keycloak configuration is store on an empty directory
+//
+
+@if(!debug)
+
+package main
+
+// Defaults
+values: {
+
+	#hostname: "keycloak.kube-playground.tolron.fr"
+
+	pvcCreate: true
+	pvc: {
+		size:             "100M"
+		storageClassName: "sc-kube-playground"
+	}
+
+	httpPort: 80
+	service: port: 80
+
+	resources: {
+		limits: {
+			cpu:    "1000m"
+			memory: "768Mi"
+		}
+	}
+
+	securityContext: {
+		runAsUser:    0
+		runAsGroup:   0
+		runAsNonRoot: false
+		capabilities:
+		{
+			add: ["NET_BIND_SERVICE"]
+			drop: ["ALL"]
+		}
+	}
+
+	ingress: {
+		ingressClassName: "ing-kube-playground"
+		tls: [{
+			hosts: [#hostname]
+			secretName: "cert-kubeplayground"
+		},
+		]
+		rules: [{
+			host: #hostname
+			http: {
+				paths: [{
+					pathType: "Prefix"
+					path:     "/"
+					backend: {
+						service: {
+							name: "keycloak-web"
+							port: {
+								number: 80
+							}
+						}}
+				}]
+			}}]
+	}
+
+	admin: {
+		password: {value: "admin"}
+	}
+
+	extraEnvs: [
+		{name: "KC_HOSTNAME_STRICT", value: "false"},
+		{name: "KC_PROXY", value:    "edge"},
+	]
+
+}
diff --git a/templates/config.cue b/templates/config.cue
@@ -89,6 +89,12 @@ import (
 		port:         *[if https {8443}, {8080}][0] | int & >0 & <=65535
 	}
 
+	// Pod ports
+	httpPort?: int & >0 & <=65535
+	if (service.https) {
+		httpsPort?: int & >0 & <=65535
+	}
+
 	// Pod optional settings.
 	podAnnotations?: {[string]: string}
 	podSecurityContext?: corev1.#PodSecurityContext
@@ -107,33 +113,51 @@ import (
 
 	// Issuer used to generate certificate & jks
 	issuerCreate: *false | bool
-	issuer: issuerv1.#IssuerSpec | *{
-		selfSigned: {}
+	if (issuerCreate) {
+		issuer: issuerv1.#IssuerSpec | *{
+			selfSigned: {}
+		}
 	}
 
 	certificateCreate: *false | bool
-	// Web certificate
-	certificate: certv1.#CertificateSpec & {
-		dnsNames: *["localhost:\( service.port )"] | [...string]
-		issuerRef: name: *"\(metadata.name)" | string
-		secretName: "\(metadata.name)-cert"
+	if (certificateCreate) {
+		// Web certificate
+		certificate: certv1.#CertificateSpec & {
+			dnsNames: *["localhost:\( service.port )"] | [...string]
+			issuerRef: name: *"\(metadata.name)" | string
+			secretName: "\(metadata.name)-cert"
+		}
 	}
 
 	jksCreate: *false | bool
-	// Requird to securize Jgroup
-	jks: certv1.#CertificateSpec & {
-		commonName: *"infinispan-jks" | string
-		issuerRef: name: *"\(metadata.name)" | string
-		secretName: "\(metadata.name)-jks"
+	if (jksCreate) {
+		// Requird to securize Jgroup
+		jks: certv1.#CertificateSpec & {
+			commonName: *"infinispan-jks" | string
+			issuerRef: name: *"\(metadata.name)" | string
+			secretName: "\(metadata.name)-jks"
+		}
 	}
 
 	pdbCreate: bool | *(replicas > 1)
-	pdb: policyv1.#PodDisruptionBudgetSpec & {
-		minAvailable: *1 | int & >0 & <=65535
+	if (pdbCreate) {
+		pdb: policyv1.#PodDisruptionBudgetSpec & {
+			minAvailable: *1 | int & >0 & <=65535
+		}
 	}
 
 	networkPolicyCreate: *false | bool
-	networkPolicyRules: [... netv1.#NetworkPolicyIngressRule]
+	if (networkPolicyCreate) {
+		networkPolicyRules: [... netv1.#NetworkPolicyIngressRule]
+	}
+
+	pvcCreate: [if replicas > 1 {false}, bool | *false][0]
+	if (pvcCreate) {
+		pvc: {
+			storageClassName: string
+			size:             string | *"5Gi"
+		}
+	}
 
 	virtualService?: vsv1beta1.#VirtualServiceSpec
 
@@ -149,11 +173,11 @@ import (
 	}
 
 	database: {
-		[if replicas > 1 {
-			type: {value: "postgres" | "mariadb" | "mssql" | "mysql" | "oracle"} & {valueFrom?: corev1.#EnvVarSource}
-		}, {
-			type?: *{value: *"dev-file" | "dev-mem" | "postgres" | "mariadb" | "mssql" | "mysql" | "oracle"} | {valueFrom?: corev1.#EnvVarSource}
-		}][0]
+		type: [if replicas > 1 {
+			"postgres" | "mariadb" | "mssql" | "mysql" | "oracle"
+		},
+			*"dev-file" | "dev-mem" | "postgres" | "mariadb" | "mssql" | "mysql" | "oracle",
+		][0]
 		url?: *{value?: string} | corev1.#EnvVarSource
 		username?: *{value?: string} | {valueFrom?: corev1.#EnvVarSource}
 		password?: *{value?: string} | {valueFrom?: corev1.#EnvVarSource}

diff --git a/templates/deployment.cue b/templates/deployment.cue
@@ -30,6 +30,11 @@ import (
 	spec: appsv1.#DeploymentSpec & {
 		replicas: #config.replicas
 		selector: matchLabels: #config.selector.labels
+		if #config.pvcCreate != _|_ {
+			strategy: {
+				type: "Recreate"
+			}
+		}
 		template: {
 			metadata: {
 				labels: #config.selector.labels
@@ -68,19 +73,28 @@ import (
 									{name: "KC_HTTPS_CERTIFICATE_FILE", value:     "/certs/tls.crt"},
 									{name: "KC_HTTPS_CERTIFICATE_KEY_FILE", value: "/certs/tls.key"}]},
 								[]][0] +
+							[if #config.database.type != _|_ {
+								{name: "KC_DB", value: #config.database.type}
+							}] +
+							[if #config.httpPort != _|_ {
+								{name: "KC_HTTP_PORT", value: "\(#config.httpPort)"}
+							}] +
+							[if #config.service.https && #config.httpsPort != _|_ {
+								{name: "KC_HTTPS_PORT", value: "\(#config.httpsPort)"}
+							}] +
 							[for x in #envs {x}] +
 							[for x in #config.extraEnvs {x}]
 
 						ports: [
 							{
 								name:          "http"
-								containerPort: *#config.envs.KC_HTTP_PORT | 8080
+								containerPort: *#config.httpPort | 8080
 								protocol:      "TCP"
 							},
 							if #config.service.https {
 								{
 									name:          "https"
-									containerPort: *#config.envs.KC_HTTPS_PORT | 8443
+									containerPort: *#config.httpsPort | 8443
 									protocol:      "TCP"
 								}
 							},
@@ -130,6 +144,10 @@ import (
 							}
 						}
 						volumeMounts: [
+								{
+									name:      "tmp"
+									mountPath: "/tmp"
+								},
 							if #highAvailability {
 								{
 									name:      "cache"
@@ -151,12 +169,24 @@ import (
 									readOnly:  true
 								}
 							},
+							if #config.pvcCreate {
+								{
+									name:      "data"
+									mountPath: "/opt/keycloak/data/h2"
+								}
+							},
 						]
 						resources:       #config.resources
 						securityContext: #config.securityContext
 					},
 				]
 				volumes: [
+					{
+						name: "tmp"
+						emptyDir: {
+							sizeLimit: "128Mi"
+						}
+					},
 					if #certSecretName != _|_ {
 						{
 							name: "certs"
@@ -185,6 +215,14 @@ import (
 							}
 						}
 					},
+					if #config.pvcCreate {
+						{
+							name: "data"
+							persistentVolumeClaim: {
+								claimName: #config.metadata.name
+							}
+						}
+					},
 				]
 				if #config.podSecurityContext != _|_ {
 					securityContext: #config.podSecurityContext

diff --git a/templates/instance.cue b/templates/instance.cue
@@ -43,14 +43,20 @@ package templates
 			}
 		}
 
+		if config.pvcCreate {
+			pvc: #PersistentVolumeClaim & {
+				#config:           config
+			}
+		}
+
 		if config.virtualService != _|_ {
 			virtualService: #VirtualService & {
 				#config: config
 			}
 		}
 
 		if config.ingress != _|_ {
-			virtualService: #Ingress & {
+			ingress: #Ingress & {
 				#config: config
 			}
 		}
@@ -68,9 +74,6 @@ package templates
 			#envs: [
 				{name: "KEYCLOAK_ADMIN"} & config.admin.user,
 				{name: "KEYCLOAK_ADMIN_PASSWORD"} & config.admin.password,
-				if config.database.type != _|_ {
-					{name: "KC_DB"} & config.database.type
-				},
 				if config.database.url != _|_ {
 					{name: "KC_DB_URL"} & config.database.url
 				},

diff --git a/templates/pvc.cue b/templates/pvc.cue
@@ -0,0 +1,23 @@
+package templates
+
+import (
+	corev1 "k8s.io/api/core/v1"
+)
+
+#PersistentVolumeClaim: corev1.#PersistentVolumeClaim & {
+	#config:    #Config
+	apiVersion: "v1"
+	kind:       "PersistentVolumeClaim"
+
+	metadata: #config.metadata
+	spec: {
+		volumeMode: "Filesystem"
+		accessModes: ["ReadWriteOnce"]
+		storageClassName: #config.pvc.storageClassName
+		resources: {
+			requests: {
+				storage: #config.pvc.size
+			}
+		}
+	}
+}
diff --git a/test/certificate-values.cue b/test/certificate-values.cue
@@ -36,7 +36,7 @@ values: {
 	}
 
 	database: {
-		type: {value: "postgres"}
+		type: "postgres"
 		url: {value: "jdbc:postgresql://localhost/keycloak"}
 		username: {value: "keycloak"}
 		password: {

diff --git a/test/certificate.yaml b/test/certificate.yaml
@@ -290,6 +290,8 @@ spec:
   selector:
     matchLabels:
       app.kubernetes.io/name: keycloak
+  strategy:
+    type: Recreate
   template:
     metadata:
       labels:
@@ -316,12 +318,12 @@ spec:
           value: /certs/tls.crt
         - name: KC_HTTPS_CERTIFICATE_KEY_FILE
           value: /certs/tls.key
+        - name: KC_DB
+          value: postgres
         - name: KEYCLOAK_ADMIN
           value: admin
         - name: KEYCLOAK_ADMIN_PASSWORD
           value: admin
-        - name: KC_DB
-          value: postgres
         - name: KC_DB_URL
           value: jdbc:postgresql://localhost/keycloak
         - name: KC_DB_USERNAME
@@ -385,6 +387,8 @@ spec:
           initialDelaySeconds: 30
           periodSeconds: 15
         volumeMounts:
+        - mountPath: /tmp
+          name: tmp
         - mountPath: /opt/keycloak/conf
           name: cache
           readOnly: true
@@ -396,6 +400,9 @@ spec:
           readOnly: true
       serviceAccountName: default
       volumes:
+      - emptyDir:
+          sizeLimit: 128Mi
+        name: tmp
       - name: certs
         secret:
           secretName: keycloak-cert