diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..948f187 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +infrastructure.yaml + diff --git a/infrastructure.yaml b/infrastructure.yaml.sample similarity index 78% rename from infrastructure.yaml rename to infrastructure.yaml.sample index 0500829..d7c3331 100644 --- a/infrastructure.yaml +++ b/infrastructure.yaml.sample @@ -17,6 +17,14 @@ spec: parameters: - name: masterKey value: my-secret-value + - name: googleClientId + value: CHANGEME + - name: googleClientSecret + value: CHANGEME + - name: githubClientId + value: CHANGEME + - name: githubClientSecret + value: CHANGEME project: default syncPolicy: automated: diff --git a/infrastructure/templates/3scale.yaml b/infrastructure/templates/3scale.yaml index 6c7b3e0..73971b3 100644 --- a/infrastructure/templates/3scale.yaml +++ b/infrastructure/templates/3scale.yaml @@ -10,12 +10,43 @@ spec: name: 3scale-operator source: redhat-operators sourceNamespace: openshift-marketplace +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + argocd.argoproj.io/sync-wave: "10" + name: system-database + namespace: {{ .Values.projectName | quote }} +stringData: + URL: "postgresql://3scale:{{ include "3scale-database-password" . }}@postgresql-server:5432/3scale" +type: Opaque +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + argocd.argoproj.io/sync-wave: "10" + name: zync + namespace: {{ .Values.projectName | quote }} +stringData: + DATABASE_URL: postgresql://zync:{{ include "zync-database-password" . }}@postgresql-server:5432/zync + ZYNC_DATABASE_PASSWORD: {{ include "zync-database-password" . | quote }} +type: Opaque + --- apiVersion: apps.3scale.net/v1alpha1 kind: APIManager metadata: + annotations: + argocd.argoproj.io/sync-wave: "20" name: 3scale-install namespace: {{ .Values.projectName | quote }} spec: wildcardDomain: {{ .Values.threescale.wildcardDomain | quote }} resourceRequirementsEnabled: true + externalComponents: + zync: + database: true + system: + database: true diff --git a/infrastructure/templates/_helpers.tpl b/infrastructure/templates/_helpers.tpl new file mode 100644 index 0000000..4bab820 --- /dev/null +++ b/infrastructure/templates/_helpers.tpl @@ -0,0 +1,34 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "postgresql-admin-password" -}} +{{- trunc 16 (sha256sum (cat .Values.masterKey "postgresql-admin-password")) -}} +{{- end -}} + +{{- define "sso-admin-password" -}} +{{- trunc 16 (sha256sum (cat .Values.masterKey "sso-admin-password")) -}} +{{- end -}} + +{{- define "sso-database-password" -}} +{{- trunc 16 (sha256sum (cat .Values.masterKey "sso-database-password")) -}} +{{- end -}} + +{{- define "apicurio-database-password" -}} +{{- trunc 16 (sha256sum (cat .Values.masterKey "apicurio-database-password")) -}} +{{- end -}} + +{{- define "microcks-client-secret" -}} +{{- trunc 16 (sha256sum (cat .Values.masterKey "microcks-client-secret")) -}} +{{- end -}} + +{{- define "3scale-database-password" -}} +{{- trunc 16 (sha256sum (cat .Values.masterKey "3scale-database-password")) -}} +{{- end -}} + +{{- define "zync-database-password" -}} +{{- trunc 16 (sha256sum (cat .Values.masterKey "zync-database-password")) -}} +{{- end -}} + +{{- define "zync-client-secret" -}} +{{- trunc 16 (sha256sum (cat .Values.masterKey "zync-client-secret")) -}} +{{- end -}} + diff --git a/infrastructure/templates/apicurio.yaml b/infrastructure/templates/apicurio.yaml index f75fa77..20c1904 100644 --- a/infrastructure/templates/apicurio.yaml +++ b/infrastructure/templates/apicurio.yaml @@ -19,7 +19,9 @@ spec: protocol: TCP targetPort: 8080 selector: - app: apicurio-studio-api + app.kubernetes.io/name: apicurio + app.kubernetes.io/component: apicurio-studio-api + app.kubernetes.io/instance: apicurio-studio-api sessionAffinity: None type: ClusterIP --- @@ -44,7 +46,9 @@ spec: protocol: TCP targetPort: 8080 selector: - app: apicurio-studio-ws + app.kubernetes.io/name: apicurio + app.kubernetes.io/component: apicurio-studio-ws + app.kubernetes.io/instance: apicurio-studio-ws sessionAffinity: None type: ClusterIP --- @@ -66,7 +70,9 @@ spec: protocol: TCP targetPort: 8080 selector: - app: apicurio-studio-ui + app.kubernetes.io/name: apicurio + app.kubernetes.io/component: apicurio-studio-ui + app.kubernetes.io/instance: apicurio-studio-ui sessionAffinity: None type: ClusterIP --- diff --git a/infrastructure/templates/postgresql.yaml b/infrastructure/templates/postgresql.yaml index 7f5f4c2..0601a08 100644 --- a/infrastructure/templates/postgresql.yaml +++ b/infrastructure/templates/postgresql.yaml @@ -181,7 +181,7 @@ spec: imagePullPolicy: Always livenessProbe: failureThreshold: 3 - initialDelaySeconds: 90 + initialDelaySeconds: 30 periodSeconds: 10 successThreshold: 1 tcpSocket: @@ -201,7 +201,7 @@ spec: -c 'SELECT 1' failureThreshold: 3 periodSeconds: 10 - initialDelaySeconds: 90 + initialDelaySeconds: 30 successThreshold: 1 timeoutSeconds: 10 resources: {} diff --git a/infrastructure/templates/project.yaml b/infrastructure/templates/project.yaml index 7d3b267..7587094 100644 --- a/infrastructure/templates/project.yaml +++ b/infrastructure/templates/project.yaml @@ -29,8 +29,11 @@ metadata: namespace: {{ .Values.projectName | quote }} type: Opaque data: - postgresql-admin-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "postgresql-admin-password")) | b64enc | quote }} - sso-admin-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "sso-admin-password")) | b64enc | quote }} - sso-database-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "sso-database-password")) | b64enc | quote }} - apicurio-database-password: {{ trunc 16 (sha256sum (cat .Values.masterKey "sso-apicurio-password")) | b64enc | quote }} - microcks-client-secret: {{ trunc 16 (sha256sum (cat .Values.masterKey "microcks-client-secret")) | b64enc | quote }} + postgresql-admin-password: {{ include "postgresql-admin-password" . | b64enc | quote }} + sso-admin-password: {{ include "sso-admin-password" . | b64enc | quote }} + sso-database-password: {{ include "sso-database-password" . | b64enc | quote }} + apicurio-database-password: {{ include "apicurio-database-password" . | b64enc | quote }} + microcks-client-secret: {{ include "microcks-client-secret" . | b64enc | quote }} + 3scale-database-password: {{ include "3scale-database-password" . | b64enc | quote }} + zync-database-password: {{ include "zync-database-password" . | b64enc | quote }} + zync-client-secret: {{ include "zync-client-secret" . | b64enc | quote }} diff --git a/infrastructure/templates/sso.yaml b/infrastructure/templates/sso.yaml index a04180d..85873eb 100644 --- a/infrastructure/templates/sso.yaml +++ b/infrastructure/templates/sso.yaml @@ -193,3 +193,298 @@ spec: - name: sso-x509-jgroups-volume secret: secretName: sso-x509-jgroups-secret +--- +apiVersion: v1 +kind: ConfigMap +metadata: + annotations: + argocd.argoproj.io/sync-wave: "30" + labels: + app.kubernetes.io/name: sso + app.kubernetes.io/version: '7.6.0.GA' + app.kubernetes.io/component: kcadm + app.kubernetes.io/instance: keycloak-config-job + name: sso-configuration + namespace: {{ .Values.projectName | quote }} +data: + configure-sso.sh: | + #!/bin/bash + + set -Eeuo pipefail + + mkdir -p /tmp/bin + curl -sLo /tmp/bin/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 + chmod 755 /tmp/bin/jq + export PATH="/tmp/bin:/opt/jboss/keycloak/bin:$PATH" + + echo "========================================================================" + echo " Connecting to Red Hat SSO" + echo "========================================================================" + echo + + while ! curl -sfo /dev/null "https://$SSO_HOSTNAME/auth/realms/master/.well-known/openid-configuration"; do + echo "Red Hat SSO not ready..." + sleep 5 + done + + kcadm.sh config credentials --server "https://$SSO_HOSTNAME/auth" --realm master --user "$SSO_ADMIN_USERNAME" --client admin-cli --password "$SSO_ADMIN_PASSWORD" + + echo + + echo "========================================================================" + echo " Configuring Microcks" + echo "========================================================================" + echo + + if ! kcadm.sh get realms/microcks &>/dev/null; then + echo "Creating the Microcks realm..." + curl -so /tmp/microcks-realm.json https://raw.githubusercontent.com/microcks/microcks/master/install/docker-compose/keycloak-realm/microcks-realm-sample.json + kcadm.sh create realms -f /tmp/microcks-realm.json + fi + + export CLIENT_ID="$(kcadm.sh get clients -r microcks -q clientId=microcks-app-js|jq -r '.[0].id')" + echo "client microcks-app-js has id $CLIENT_ID" + kcadm.sh update "clients/$CLIENT_ID" -r microcks -s "redirectUris=[\"https://$MICROCKS_HOSTNAME/*\"]" + + if ! kcadm.sh get identity-provider/instances -r microcks | jq -r .[].alias | grep -qx google; then + kcadm.sh create identity-provider/instances -r microcks -f - </dev/null; then + echo "Creating the Apicurio realm..." + curl -so /tmp/apicurio-realm-template.json https://raw.githubusercontent.com/Apicurio/apicurio-studio/master/distro/openshift/auth/realm.json + sed "s|APICURIO_UI_URL|https://$APICURIO_UI_HOSTNAME|g" /tmp/apicurio-realm-template.json > /tmp/apicurio-realm.json + kcadm.sh create realms -f /tmp/apicurio-realm.json + fi + + if ! kcadm.sh get identity-provider/instances -r apicurio | jq -r .[].alias | grep -qx google; then + kcadm.sh create identity-provider/instances -r apicurio -f - </dev/null; then + echo "Creating the 3scale realm..." + kcadm.sh create realms -s realm=3scale -s enabled=true + kcadm.sh create clients -r 3scale -s 'clientId=zync' -s 'standardFlowEnabled=false' -s 'directAccessGrantsEnabled=false' -s 'serviceAccountsEnabled=true' -s 'clientAuthenticatorType=client-secret' -s "secret=$ZYNC_CLIENT_SECRET" + ZYNC_CLIENT_ID="$(kcadm.sh get clients -r 3scale -q clientId=zync |jq -r '.[0].id')" + RM_CLIENT_ID="$(kcadm.sh get clients -r 3scale -q clientId=realm-management |jq -r '.[0].id')" + ZYNC_USER_ID="$(kcadm.sh get clients/$ZYNC_CLIENT_ID/service-account-user -r 3scale |jq -r '.id')" + kcadm.sh get "clients/$RM_CLIENT_ID/roles" -q name=manage-clients -r 3scale |jq -r '[ .[] | select(.name == "manage-clients") ]' | kcadm.sh create "users/$ZYNC_USER_ID/role-mappings/clients/$RM_CLIENT_ID" -r 3scale -f - + fi + + exit 0 +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + argocd.argoproj.io/sync-wave: "30" + labels: + app.kubernetes.io/name: sso + app.kubernetes.io/version: '7.6.0.GA' + app.kubernetes.io/component: kcadm + app.kubernetes.io/instance: keycloak-config-job + name: sso-configuration + namespace: {{ .Values.projectName | quote }} +type: Opaque +data: + googleClientId: {{ .Values.googleClientId | b64enc | quote }} + googleClientSecret: {{ .Values.googleClientSecret | b64enc | quote }} + githubClientId: {{ .Values.githubClientId | b64enc | quote }} + githubClientSecret: {{ .Values.githubClientSecret | b64enc | quote }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + argocd.argoproj.io/sync-wave: "30" + labels: + app.kubernetes.io/name: sso + app.kubernetes.io/version: '7.6.0.GA' + app.kubernetes.io/component: kcadm + app.kubernetes.io/instance: keycloak-config-job + name: sso-configuration + namespace: {{ .Values.projectName | quote }} +spec: + backoffLimit: 30 + template: + metadata: + labels: + app.kubernetes.io/name: sso + app.kubernetes.io/version: '7.6.0.GA' + app.kubernetes.io/component: kcadm + app.kubernetes.io/instance: keycloak-config-job + spec: + containers: + - name: kcadm + command: + - /entrypoint/configure-sso.sh + args: [] + image: quay.io/keycloak/keycloak:18.0.2-legacy + imagePullPolicy: IfNotPresent + env: + - name: SSO_HOSTNAME + value: {{ .Values.sso.hostname | quote }} + - name: MICROCKS_HOSTNAME + value: {{ .Values.microcks.hostname | quote }} + - name: APICURIO_UI_HOSTNAME + value: {{ .Values.apicurio.uiHostname | quote }} + - name: SSO_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: demo-seed + key: sso-admin-password + - name: SSO_ADMIN_USERNAME + value: admin + - name: GOOGLE_CLIENT_ID + valueFrom: + secretKeyRef: + name: sso-configuration + key: googleClientId + - name: GOOGLE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: sso-configuration + key: googleClientSecret + - name: GITHUB_CLIENT_ID + valueFrom: + secretKeyRef: + name: sso-configuration + key: githubClientId + - name: GITHUB_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: sso-configuration + key: githubClientSecret + - name: ZYNC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: demo-seed + key: zync-client-secret + - name: MICROCKS_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: demo-seed + key: zync-client-secret + - name: USER + value: kcadm + - name: HOME + value: /tmp + volumeMounts: + - mountPath: /entrypoint + name: sso-configuration-script + readOnly: true + restartPolicy: OnFailure + terminationGracePeriodSeconds: 30 + volumes: + - name: sso-configuration-script + configMap: + name: sso-configuration + defaultMode: 0755 diff --git a/openshift-gitops.yaml b/openshift-gitops.yaml index 8716207..2111853 100644 --- a/openshift-gitops.yaml +++ b/openshift-gitops.yaml @@ -6,6 +6,9 @@ rules: - apiGroups: [""] resources: ["secrets","services","pvc"] verbs: ["*"] +- apiGroups: ["apps"] + resources: ["statefulsets","deployments"] + verbs: ["*"] - apiGroups: ["project.openshift.io"] resources: ["projects"] verbs: ["*"] @@ -27,6 +30,12 @@ rules: - apiGroups: ["keycloak.org"] resources: ["keycloaks"] verbs: ["*"] +- apiGroups: ["microcks.github.io"] + resources: ["microcksinstalls"] + verbs: ["*"] +- apiGroups: ["apps.3scale.net"] + resources: ["apimanagers"] + verbs: ["*"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1