apiVersion: v1 kind: Service metadata: annotations: argocd.argoproj.io/sync-wave: "10" service.alpha.openshift.io/serving-cert-secret-name: sso-x509-https-secret labels: app.kubernetes.io/name: sso app.kubernetes.io/version: '7.6.0.GA' app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak name: sso namespace: {{ .Values.projectName | quote }} spec: ports: - port: 8443 targetPort: 8443 selector: app.kubernetes.io/name: sso app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak --- apiVersion: v1 kind: Service metadata: annotations: argocd.argoproj.io/sync-wave: "10" service.alpha.openshift.io/serving-cert-secret-name: sso-x509-jgroups-secret labels: app.kubernetes.io/name: sso app.kubernetes.io/version: '7.6.0.GA' app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak name: sso-ping namespace: {{ .Values.projectName | quote }} spec: clusterIP: None ports: - name: ping port: 8888 publishNotReadyAddresses: true selector: app.kubernetes.io/name: sso app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak --- apiVersion: route.openshift.io/v1 kind: Route metadata: annotations: argocd.argoproj.io/sync-wave: "10" labels: app.kubernetes.io/name: sso app.kubernetes.io/version: '7.6.0.GA' app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak name: sso namespace: {{ .Values.projectName | quote }} spec: host: {{ .Values.sso.hostname | quote }} tls: termination: reencrypt to: kind: Service name: sso --- apiVersion: apps/v1 kind: Deployment metadata: annotations: argocd.argoproj.io/sync-wave: "10" labels: app.kubernetes.io/name: sso app.kubernetes.io/version: '7.6.0.GA' app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak name: sso namespace: {{ .Values.projectName | quote }} spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: sso app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak template: metadata: labels: app.kubernetes.io/name: sso app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak spec: containers: - env: - name: SSO_HOSTNAME value: {{ .Values.sso.hostname | quote }} - name: DB_SERVICE_PREFIX_MAPPING value: sso-postgresql=DB - name: SSO_POSTGRESQL_SERVICE_HOST value: postgresql-server - name: SSO_POSTGRESQL_SERVICE_PORT value: "5432" - name: DB_JNDI value: java:jboss/datasources/KeycloakDS - name: DB_USERNAME value: sso - name: DB_PASSWORD valueFrom: secretKeyRef: name: demo-seed key: sso-database-password - name: DB_DATABASE value: sso - name: TX_DATABASE_PREFIX_MAPPING value: sso-postgresql=DB - name: DB_MIN_POOL_SIZE - name: DB_MAX_POOL_SIZE - name: DB_TX_ISOLATION - name: JGROUPS_PING_PROTOCOL value: openshift.DNS_PING - name: OPENSHIFT_DNS_PING_SERVICE_NAME value: sso-ping - name: OPENSHIFT_DNS_PING_SERVICE_PORT value: "8888" - name: X509_CA_BUNDLE value: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - name: JGROUPS_CLUSTER_PASSWORD value: djqqleTNBaVqjl3nsA5Ku3LNCGYSAiB5 - name: SSO_ADMIN_USERNAME value: admin - name: SSO_ADMIN_PASSWORD valueFrom: secretKeyRef: name: demo-seed key: sso-admin-password - name: SSO_REALM - name: SSO_SERVICE_USERNAME - name: SSO_SERVICE_PASSWORD image: registry.redhat.io/rh-sso-7/sso76-openshift-rhel8:7.6 imagePullPolicy: Always livenessProbe: failureThreshold: 3 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 exec: command: - /bin/bash - -c - /opt/eap/bin/livenessProbe.sh initialDelaySeconds: 60 name: sso ports: - containerPort: 8778 name: jolokia protocol: TCP - containerPort: 8080 name: http protocol: TCP - containerPort: 8443 name: https protocol: TCP - containerPort: 8888 name: ping protocol: TCP readinessProbe: failureThreshold: 3 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 exec: command: - /bin/bash - -c - /opt/eap/bin/readinessProbe.sh resources: limits: memory: 1Gi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /etc/x509/https name: sso-x509-https-volume readOnly: true - mountPath: /etc/x509/jgroups name: sso-x509-jgroups-volume readOnly: true terminationGracePeriodSeconds: 30 volumes: - name: sso-x509-https-volume secret: secretName: sso-x509-https-secret - name: sso-x509-jgroups-volume secret: secretName: sso-x509-jgroups-secret --- apiVersion: v1 kind: ConfigMap metadata: annotations: argocd.argoproj.io/sync-wave: "30" labels: app.kubernetes.io/name: sso app.kubernetes.io/version: '7.6.0.GA' app.kubernetes.io/component: kcadm app.kubernetes.io/instance: keycloak-config-job name: sso-configuration namespace: {{ .Values.projectName | quote }} data: configure-sso.sh: | #!/bin/bash set -Eeuo pipefail mkdir -p /tmp/bin curl -sLo /tmp/bin/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 chmod 755 /tmp/bin/jq export PATH="/tmp/bin:/opt/jboss/keycloak/bin:$PATH" echo "========================================================================" echo " Connecting to Red Hat SSO" echo "========================================================================" echo while ! curl -sfo /dev/null "https://$SSO_HOSTNAME/auth/realms/master/.well-known/openid-configuration"; do echo "Red Hat SSO not ready..." sleep 5 done kcadm.sh config credentials --server "https://$SSO_HOSTNAME/auth" --realm master --user "$SSO_ADMIN_USERNAME" --client admin-cli --password "$SSO_ADMIN_PASSWORD" echo echo "========================================================================" echo " Configuring Microcks" echo "========================================================================" echo if ! kcadm.sh get realms/microcks &>/dev/null; then echo "Creating the Microcks realm..." curl -so /tmp/microcks-realm.json https://raw.githubusercontent.com/microcks/microcks/master/install/docker-compose/keycloak-realm/microcks-realm-sample.json kcadm.sh create realms -f /tmp/microcks-realm.json fi export CLIENT_ID="$(kcadm.sh get clients -r microcks -q clientId=microcks-app-js|jq -r '.[0].id')" echo "client microcks-app-js has id $CLIENT_ID" kcadm.sh update "clients/$CLIENT_ID" -r microcks -s "redirectUris=[\"https://$MICROCKS_HOSTNAME/*\"]" if ! kcadm.sh get identity-provider/instances -r microcks | jq -r .[].alias | grep -qx google; then kcadm.sh create identity-provider/instances -r microcks -f - </dev/null; then echo "Creating the Apicurio realm..." curl -so /tmp/apicurio-realm-template.json https://raw.githubusercontent.com/Apicurio/apicurio-studio/master/distro/openshift/auth/realm.json sed "s|APICURIO_UI_URL|https://$APICURIO_UI_HOSTNAME|g" /tmp/apicurio-realm-template.json > /tmp/apicurio-realm.json kcadm.sh create realms -f /tmp/apicurio-realm.json fi if ! kcadm.sh get identity-provider/instances -r apicurio | jq -r .[].alias | grep -qx google; then kcadm.sh create identity-provider/instances -r apicurio -f - </dev/null; then echo "Creating the 3scale realm..." kcadm.sh create realms -s realm=3scale -s enabled=true kcadm.sh create clients -r 3scale -s 'clientId=zync' -s 'standardFlowEnabled=false' -s 'directAccessGrantsEnabled=false' -s 'serviceAccountsEnabled=true' -s 'clientAuthenticatorType=client-secret' -s "secret=$ZYNC_CLIENT_SECRET" ZYNC_CLIENT_ID="$(kcadm.sh get clients -r 3scale -q clientId=zync |jq -r '.[0].id')" RM_CLIENT_ID="$(kcadm.sh get clients -r 3scale -q clientId=realm-management |jq -r '.[0].id')" ZYNC_USER_ID="$(kcadm.sh get clients/$ZYNC_CLIENT_ID/service-account-user -r 3scale |jq -r '.id')" kcadm.sh get "clients/$RM_CLIENT_ID/roles" -q name=manage-clients -r 3scale |jq -r '[ .[] | select(.name == "manage-clients") ]' | kcadm.sh create "users/$ZYNC_USER_ID/role-mappings/clients/$RM_CLIENT_ID" -r 3scale -f - fi exit 0 --- apiVersion: v1 kind: Secret metadata: annotations: argocd.argoproj.io/sync-wave: "30" labels: app.kubernetes.io/name: sso app.kubernetes.io/version: '7.6.0.GA' app.kubernetes.io/component: kcadm app.kubernetes.io/instance: keycloak-config-job name: sso-configuration namespace: {{ .Values.projectName | quote }} type: Opaque data: googleClientId: {{ .Values.googleClientId | b64enc | quote }} googleClientSecret: {{ .Values.googleClientSecret | b64enc | quote }} githubClientId: {{ .Values.githubClientId | b64enc | quote }} githubClientSecret: {{ .Values.githubClientSecret | b64enc | quote }} --- apiVersion: batch/v1 kind: Job metadata: annotations: argocd.argoproj.io/sync-wave: "30" labels: app.kubernetes.io/name: sso app.kubernetes.io/version: '7.6.0.GA' app.kubernetes.io/component: kcadm app.kubernetes.io/instance: keycloak-config-job name: sso-configuration namespace: {{ .Values.projectName | quote }} spec: backoffLimit: 30 template: metadata: labels: app.kubernetes.io/name: sso app.kubernetes.io/version: '7.6.0.GA' app.kubernetes.io/component: kcadm app.kubernetes.io/instance: keycloak-config-job spec: containers: - name: kcadm command: - /entrypoint/configure-sso.sh args: [] image: quay.io/keycloak/keycloak:18.0.2-legacy imagePullPolicy: IfNotPresent env: - name: SSO_HOSTNAME value: {{ .Values.sso.hostname | quote }} - name: MICROCKS_HOSTNAME value: {{ .Values.microcks.hostname | quote }} - name: APICURIO_UI_HOSTNAME value: {{ .Values.apicurio.uiHostname | quote }} - name: SSO_ADMIN_PASSWORD valueFrom: secretKeyRef: name: demo-seed key: sso-admin-password - name: SSO_ADMIN_USERNAME value: admin - name: GOOGLE_CLIENT_ID valueFrom: secretKeyRef: name: sso-configuration key: googleClientId - name: GOOGLE_CLIENT_SECRET valueFrom: secretKeyRef: name: sso-configuration key: googleClientSecret - name: GITHUB_CLIENT_ID valueFrom: secretKeyRef: name: sso-configuration key: githubClientId - name: GITHUB_CLIENT_SECRET valueFrom: secretKeyRef: name: sso-configuration key: githubClientSecret - name: ZYNC_CLIENT_SECRET valueFrom: secretKeyRef: name: demo-seed key: zync-client-secret - name: MICROCKS_CLIENT_SECRET valueFrom: secretKeyRef: name: demo-seed key: zync-client-secret - name: USER value: kcadm - name: HOME value: /tmp volumeMounts: - mountPath: /entrypoint name: sso-configuration-script readOnly: true restartPolicy: OnFailure terminationGracePeriodSeconds: 30 volumes: - name: sso-configuration-script configMap: name: sso-configuration defaultMode: 0755