From 1efb642cb574d32d6d96457aff9cf59e6aa612e6 Mon Sep 17 00:00:00 2001 From: Willy Kloucek <34452982+wkloucek@users.noreply.github.com> Date: Thu, 15 Feb 2024 13:32:46 +0100 Subject: [PATCH] keycloak deployment example revamp (#487) * keycloak deployment example revamp * remove duplicated descriptions from values.yaml --- .../charts/keycloak-k8s-resources | 2 +- .../charts/keycloak/000-db-secret.yaml | 8 -- .../charts/keycloak/001-keycloak.yaml | 25 ++++++- .../charts/postgresql/postgresql.yaml | 20 +++++ .../external-user-management/helmfile.yaml | 73 ++++++++----------- 5 files changed, 72 insertions(+), 56 deletions(-) delete mode 100644 deployments/external-user-management/charts/keycloak/000-db-secret.yaml create mode 100644 deployments/external-user-management/charts/postgresql/postgresql.yaml diff --git a/deployments/external-user-management/charts/keycloak-k8s-resources b/deployments/external-user-management/charts/keycloak-k8s-resources index d8c24e8d3..7a37ca9ae 160000 --- a/deployments/external-user-management/charts/keycloak-k8s-resources +++ b/deployments/external-user-management/charts/keycloak-k8s-resources @@ -1 +1 @@ -Subproject commit d8c24e8d37dc80692040006e312a9eea2b07d008 +Subproject commit 7a37ca9ae920b6b196054d8b8bfa8fbcc95df8d0 diff --git a/deployments/external-user-management/charts/keycloak/000-db-secret.yaml b/deployments/external-user-management/charts/keycloak/000-db-secret.yaml deleted file mode 100644 index 238272c4e..000000000 --- a/deployments/external-user-management/charts/keycloak/000-db-secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -data: - password: a2V5Y2xvYWs= - username: a2V5Y2xvYWs= -kind: Secret -metadata: - creationTimestamp: null - name: keycloak-db-secret diff --git a/deployments/external-user-management/charts/keycloak/001-keycloak.yaml b/deployments/external-user-management/charts/keycloak/001-keycloak.yaml index 55e138959..1ae81f2bc 100644 --- a/deployments/external-user-management/charts/keycloak/001-keycloak.yaml +++ b/deployments/external-user-management/charts/keycloak/001-keycloak.yaml @@ -3,17 +3,34 @@ kind: Keycloak metadata: name: ocis-keycloak spec: - instances: 1 + instances: 3 db: vendor: postgres - host: postgres-postgresql.postgres.svc.cluster.local + host: postgres-pooler usernameSecret: - name: keycloak-db-secret + name: keycloak.postgres.credentials.postgresql.acid.zalan.do key: username passwordSecret: - name: keycloak-db-secret + name: keycloak.postgres.credentials.postgresql.acid.zalan.do key: password + poolInitialSize: 100 + poolMinSize: 100 + poolMaxSize: 100 http: tlsSecret: keycloak-tls-secret hostname: hostname: keycloak.kube.owncloud.test + unsupported: + podTemplate: + spec: + containers: + - name: keycloak + env: + - name: JAVA_OPTS_APPEND + value: -Xms2g -Xmx3g -Djgroups.thread_dumps_threshold=1 + # Load shedding, see https://www.keycloak.org/high-availability/deploy-keycloak-kubernetes + - name: QUARKUS_THREAD_POOL_QUEUE_SIZE + value: "1000" + # Sum of JGroups threads should not exceed 200 (default) for all pods https://www.keycloak.org/high-availability/concepts-threads#_jgroups_connection_pool + - name: QUARKUS_THREAD_POOL_MAX_THREADS + value: "66" diff --git a/deployments/external-user-management/charts/postgresql/postgresql.yaml b/deployments/external-user-management/charts/postgresql/postgresql.yaml new file mode 100644 index 000000000..f33ff232e --- /dev/null +++ b/deployments/external-user-management/charts/postgresql/postgresql.yaml @@ -0,0 +1,20 @@ +apiVersion: "acid.zalan.do/v1" +kind: postgresql +metadata: + name: "postgres" +spec: + teamId: "postgres" + volume: + size: "10Gi" + numberOfInstances: 3 + users: + "keycloak": + - superuser + - createdb + databases: + "keycloak": "keycloak" + postgresql: + version: "15" + parameters: + max_connections: "330" + enableConnectionPooler: true diff --git a/deployments/external-user-management/helmfile.yaml b/deployments/external-user-management/helmfile.yaml index 735e7180d..cc3990612 100644 --- a/deployments/external-user-management/helmfile.yaml +++ b/deployments/external-user-management/helmfile.yaml @@ -1,25 +1,37 @@ repositories: - name: openldap url: https://jp-gouin.github.io/helm-openldap/ - - name: bitnami - url: https://charts.bitnami.com/bitnami + - name: postgres-operator + url: https://opensource.zalando.com/postgres-operator/charts/postgres-operator releases: - - name: postgres - namespace: postgres - chart: bitnami/postgresql - version: 12.4.2 + - name: postgres-operator + namespace: postgres-operator + chart: postgres-operator/postgres-operator + version: 1.9.0 values: - - auth: - postgrePassword: postgres - username: "keycloak" - password: "keycloak" - database: "keycloak" - - architecture: standalone - - primary: - persistence: - enabled: true - size: 8Gi + - configConnectionPooler: + connection_pooler_max_db_connections: 300 + connection_pooler_number_of_instances: 3 + connection_pooler_mode: "session" + + - name: postgres + chart: ./charts/postgresql + namespace: keycloak + needs: + - postgres-operator/postgres-operator + + - name: keycloak-operator + chart: ./charts/keycloak-k8s-resources/kubernetes + namespace: keycloak + + - name: keycloak + chart: ./charts/keycloak + namespace: keycloak + needs: + - keycloak/keycloak-operator + - keycloak/postgres + - name: openldap namespace: openldap chart: openldap/openldap-stack-ha @@ -31,7 +43,7 @@ releases: enabled: true - global: ldapDomain: "owncloud.com" - adminPassword: admin # or existingSecret + adminPassword: admin configPassword: config - customLdifFiles: 10_owncloud_root.ldif: |- @@ -316,15 +328,7 @@ releases: AUXILIARY MAY ( ownCloudUUID $ ocEducationClassType $ ocEducationExternalId $ ocMemberOfSchool $ ocEducationTeacherMember ) ) - - name: keycloak-operator - chart: ./charts/keycloak-k8s-resources/kubernetes - namespace: keycloak - - name: keycloak - chart: ./charts/keycloak - namespace: keycloak - needs: - - keycloak-operator - - postgres/postgres + - name: ocis chart: ../../charts/ocis namespace: ocis @@ -344,28 +348,12 @@ releases: ldapSecretRef: ldap-bind-secrets # we provide the ldap bind password of the ldap server in the extraResources section as secret - features: externalUserManagement: - # -- Enables external user management (and disables internal user management). - # Needs an external OpenID Connect Identity Provider and an external LDAP server. enabled: true - # -- UUID of the inital admin user. - # If the given value matches a user's value from `features.externalUserManagement.oidc.userIDClaim`, the admin role will be assigned. - # Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand. - # Note: Enabling `roleAssignment` will disable `adminUUID`. adminUUID: "ddc2004c-0977-11eb-9d3f-a793888cd0f8" - # OpenID Connect Identity provider related settings. oidc: - # -- Issuer URI of the OpenID Connect Identity Provider. - # If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option. issuerURI: https://keycloak.kube.owncloud.test/realms/oCIS - - # -- Specify the client ID which the web frontend will use webClientID: web - # -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server. userIDClaim: ocis.user.uuid - # -- Attribute mapping of for the userIDClaim. - # Set to `userid` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`. - # Set to `mail` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.mail`. - # Set to `username` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.userName`. userIDClaimAttributeMapping: userid ldap: @@ -409,7 +397,6 @@ releases: persistence: enabled: true - - extraResources: - | apiVersion: v1