Skip to content

feat: add rh-keycloak wrapper chart with PostSync cleanup for one-shot ExternalSecrets #137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
minmzzhang wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add rh-keycloak wrapper chart with PostSync cleanup for one-shot ExternalSecrets #137

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions charts/rh-keycloak/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: v2
name: rh-keycloak
description: ZTVP Keycloak deployment — wraps the rhbk chart and adds PostSync cleanup for one-shot ExternalSecrets
type: application
version: 0.1.0
dependencies:
- name: rhbk
version: ">=0.0.9"
repository: "oci://quay.io/validatedpatterns"
maintainers:
- name: Zero Trust Validated Patterns Team
email: ztvp-arch-group@redhat.com
keywords:
- keycloak
- rhbk
- zero-trust
- pattern
94 changes: 94 additions & 0 deletions charts/rh-keycloak/templates/cleanup-externalsecrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
{{- if .Values.cleanup.enabled }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cleanup-ephemeral-secrets
namespace: {{ .Release.Namespace }}
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cleanup-ephemeral-secrets
namespace: {{ .Release.Namespace }}
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
rules:
- apiGroups: ["external-secrets.io"]
resources: ["externalsecrets"]
verbs: ["get", "list", "delete"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cleanup-ephemeral-secrets
namespace: {{ .Release.Namespace }}
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cleanup-ephemeral-secrets
subjects:
- kind: ServiceAccount
name: cleanup-ephemeral-secrets
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: cleanup-ephemeral-secrets
namespace: {{ .Release.Namespace }}
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
spec:
backoffLimit: 2
activeDeadlineSeconds: {{ .Values.cleanup.activeDeadlineSeconds }}
template:
spec:
serviceAccountName: cleanup-ephemeral-secrets
restartPolicy: Never
containers:
- name: cleanup
image: {{ .Values.cleanup.image }}
command:
- /bin/bash
- -ce
- |
LABEL="{{ .Values.cleanup.label }}"
NS="{{ .Release.Namespace }}"

ES_COUNT=$(oc get externalsecret -l "${LABEL}=one-shot" -n "${NS}" --no-headers 2>/dev/null | wc -l)
if [ "${ES_COUNT}" -eq 0 ]; then
echo "No one-shot ExternalSecrets found. Nothing to do."
else
echo "Found ${ES_COUNT} one-shot ExternalSecret(s)."
echo "Waiting for ExternalSecrets to sync..."
oc wait externalsecret -l "${LABEL}=one-shot" -n "${NS}" \
--for=condition=Ready --timeout=90s 2>/dev/null || \
echo "WARNING: Timed out waiting for Ready, proceeding."

echo "Deleting ExternalSecrets (orphaning dependent Secrets)..."
oc delete externalsecret -l "${LABEL}=one-shot" -n "${NS}" \
--cascade=orphan --ignore-not-found
fi

SEC_COUNT=$(oc get secret -l "${LABEL}=delete" -n "${NS}" --no-headers 2>/dev/null | wc -l)
if [ "${SEC_COUNT}" -eq 0 ]; then
echo "No ephemeral Secrets to clean up."
else
echo "Deleting ${SEC_COUNT} ephemeral Secret(s)..."
oc delete secret -l "${LABEL}=delete" -n "${NS}" --ignore-not-found
fi

echo "Cleanup complete."
{{- end }}
15 changes: 15 additions & 0 deletions charts/rh-keycloak/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# PostSync cleanup for ephemeral Secrets.
# When enabled, a PostSync Job deletes the keycloak-users ExternalSecret
# with --cascade=orphan (so the Secret survives), then removes Secrets
# labeled for deletion (keycloak-users).
cleanup:
enabled: true
image: registry.redhat.io/openshift4/ose-cli-rhel9:latest
label: "ztvp.io/cleanup"
activeDeadlineSeconds: 120

# Values passed through to the rhbk subchart.
rhbk:
externalSecrets:
oneShot: true
secretCleanupLabel: "ztvp.io/cleanup"
10 changes: 5 additions & 5 deletions values-hub.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -494,16 +494,16 @@ clusterGroup:
name: rh-keycloak
namespace: keycloak-system
project: hub
chart: rhbk
chartVersion: 0.0.*
path: charts/rh-keycloak
annotations:
argocd.argoproj.io/sync-wave: "35"
# SPIFFE Identity Provider is enabled by default in the chart.
# SPIFFE Identity Provider is enabled by default in the rhbk subchart.
# Override issuer/jwksUrl only if auto-generated values from cluster domain are not suitable.
# Note: overrides must use the rhbk. prefix to reach the subchart.
# overrides:
# - name: keycloak.spiffeIdentityProvider.config.config.issuer
# - name: rhbk.keycloak.spiffeIdentityProvider.config.config.issuer
# value: "spiffe://apps.example.com"
# - name: keycloak.spiffeIdentityProvider.config.config.jwksUrl
# - name: rhbk.keycloak.spiffeIdentityProvider.config.config.jwksUrl
# value: "https://spire-spiffe-oidc-discovery-provider.apps.example.com/keys"
rh-cert-manager:
name: rh-cert-manager
Expand Down
Loading