feat(charts): add chart for docker-jans-saml (#7361)

* chore(docker-jans-saml): add configurable backoff in configure_kc.py script Signed-off-by: iromli <isman.firmansyah@gmail.com> * feat(charts): add chart for docker-jans-saml Signed-off-by: iromli <isman.firmansyah@gmail.com> * chore(docker-jans-saml): use env vars to configure log level and proxy Signed-off-by: iromli <isman.firmansyah@gmail.com> * chore(docker-jans-all-in-one): add missing services Signed-off-by: iromli <isman.firmansyah@gmail.com> * chore(charts): add failureThreshold for jans-saml liveness and readiness probes Signed-off-by: iromli <isman.firmansyah@gmail.com> * chore(charts): add jans-saml support to janssen-all-in-one chart Signed-off-by: iromli <isman.firmansyah@gmail.com> * chore(docker-jans): add config for KC database Signed-off-by: iromli <isman.firmansyah@gmail.com> * chore(docker-jans): rename env for KC admin credentials file Signed-off-by: iromli <isman.firmansyah@gmail.com> * chore(charts): add database support for jans-saml deployment * chore(charts): jans-saml deployment for jans-all-in-one Signed-off-by: iromli <isman.firmansyah@gmail.com> * chore(charts): increase failureThreshold for jans-saml deployment Signed-off-by: iromli <isman.firmansyah@gmail.com> * chore(charts): increase failureThreshold for jans-saml sub chart Signed-off-by: iromli <isman.firmansyah@gmail.com> * chore(docker-jans): update OCI images related to SAML functional Signed-off-by: iromli <isman.firmansyah@gmail.com> * chore(charts): handle default value for transaction recovery Signed-off-by: iromli <isman.firmansyah@gmail.com> * chore(charts): set default transaction recovery Signed-off-by: iromli <isman.firmansyah@gmail.com> * docs: mention cm and secret names Signed-off-by: Amro Misbah <amromisba7@gmail.com> * chore(docker-jans-saml): build optimized KC before running the server Signed-off-by: iromli <isman.firmansyah@gmail.com> * chore(docker-jans): update JANS_SOURCE_VERSION Signed-off-by: iromli <isman.firmansyah@gmail.com> --------- Signed-off-by: iromli <isman.firmansyah@gmail.com> Signed-off-by: Amro Misbah <amromisba7@gmail.com> Signed-off-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com> Co-authored-by: Amro Misbah <amromisba7@gmail.com> Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>
JanssenProject · Jan 18, 2024 · 777412b · 777412b
1 parent 9058c2e
commit 777412b
Show file tree

Hide file tree

Showing 45 changed files with 1,568 additions and 44 deletions.
diff --git a/charts/janssen-all-in-one/README.md b/charts/janssen-all-in-one/README.md
@@ -169,7 +169,18 @@ Kubernetes: `>=v1.22.0-0`
 | configmap.cnSqlDbTimezone | string | `"UTC"` | SQL database timezone. |
 | configmap.cnSqlDbUser | string | `"jans"` | SQL database username. |
 | configmap.cnSqldbUserPassword | string | `"Test1234#"` | SQL password  injected the secrets . |
+| configmap.kcDbPassword | string | `"Test1234#"` | Password for Keycloak database access |
+| configmap.kcDbSchema | string | `"keycloak"` | Keycloak database schema name (note that PostgreSQL may using "public" schema). |
+| configmap.kcDbUrlDatabase | string | `"keycloak"` | Keycloak database name |
+| configmap.kcDbUrlHost | string | `"mysql.kc.svc.cluster.local"` | Keycloak database host |
+| configmap.kcDbUrlPort | int | `3306` | Keycloak database port (default to port 3306 for mysql). |
+| configmap.kcDbUrlProperties | string | `"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4"` | Keycloak database connection properties. If using postgresql, the value can be set to empty string. |
+| configmap.kcDbUsername | string | `"keycloak"` | Keycloak database username |
+| configmap.kcDbVendor | string | `"mysql"` | Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. |
+| configmap.kcLogLevel | string | `"INFO"` | Keycloak logging level |
+| configmap.kcProxy | string | `"edge"` | Keycloak proxy mode (for most deployments, this doesn't need to be changed) |
 | configmap.lbAddr | string | `""` | Load balancer address for AWS if the FQDN is not registered. |
+| configmap.quarkusTransactionEnableRecovery | bool | `true` | Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. |
 | countryCode | string | `"US"` | Country code. Used for certificate creation. |
 | customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh |
 | dnsConfig | object | `{}` | Add custom dns config |
@@ -206,6 +217,8 @@ Kubernetes: `>=v1.22.0-0`
 | istio.ingress | bool | `false` | Boolean flag that enables using istio gateway for Janssen. This assumes istio ingress is installed and hence the LB is available. |
 | istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. |
 | istio.tlsSecretName | string | `"istio-tls-certificate"` |  |
+| kcAdminCredentialsFile | string | `"/etc/jans/conf/kc_admin_creds"` | Path to file contains Keycloak admin credentials (username and password) |
+| kcDbPasswordFile | string | `"/etc/jans/conf/kc_db_password"` | Path to file contains password for database access |
 | lbIp | string | `"22.22.22.22"` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `fqdn` is globally resolvable. |
 | lifecycle | object | `{}` |  |
 | link.appLoggers | object | `{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","linkLogLevel":"INFO","linkLogTarget":"STDOUT","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. |
@@ -245,6 +258,8 @@ Kubernetes: `>=v1.22.0-0`
 | nginx-ingress.ingress.openidAdditionalAnnotations | object | `{}` | openid-configuration ingress resource additional annotations. |
 | nginx-ingress.ingress.openidConfigLabels | object | `{}` | openid-configuration ingress resource labels. key app is taken |
 | nginx-ingress.ingress.path | string | `"/"` |  |
+| nginx-ingress.ingress.samlAdditionalAnnotations | object | `{}` | SAML ingress resource additional annotations. |
+| nginx-ingress.ingress.samlLabels | object | `{}` | SAML config ingress resource labels. key app is taken |
 | nginx-ingress.ingress.scimAdditionalAnnotations | object | `{}` | SCIM ingress resource additional annotations. |
 | nginx-ingress.ingress.scimConfigAdditionalAnnotations | object | `{}` | SCIM config ingress resource additional annotations. |
 | nginx-ingress.ingress.scimConfigLabels | object | `{}` | SCIM config ingress resource labels. key app is taken |
@@ -270,6 +285,9 @@ Kubernetes: `>=v1.22.0-0`
 | resources.requests.cpu | string | `"2500m"` | CPU request. |
 | resources.requests.memory | string | `"2500Mi"` | Memory request. |
 | salt | string | `""` | Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. |
+| saml.enabled | bool | `false` | Boolean flag to enable/disable the saml chart. |
+| saml.ingress | object | `{"samlEnabled":false}` | Enable endpoints in either istio or nginx ingress depending on users choice |
+| saml.samlServiceName | string | `"saml"` | Name of the saml service. Please keep it as default. |
 | scim.appLoggers | object | `{"enableStdoutLogPrefix":"true","ldapStatsLogLevel":"INFO","ldapStatsLogTarget":"FILE","persistenceDurationLogLevel":"INFO","persistenceDurationLogTarget":"FILE","persistenceLogLevel":"INFO","persistenceLogTarget":"FILE","scimLogLevel":"INFO","scimLogTarget":"STDOUT","scriptLogLevel":"INFO","scriptLogTarget":"FILE"}` | App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. |
 | scim.appLoggers.enableStdoutLogPrefix | string | `"true"` | Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO |
 | scim.appLoggers.ldapStatsLogLevel | string | `"INFO"` | jans-scim_persistence_ldap_statistics.log level |

diff --git a/charts/janssen-all-in-one/templates/_helpers.tpl b/charts/janssen-all-in-one/templates/_helpers.tpl
@@ -152,5 +152,8 @@ Create aio enabled list
 {{- if .Values.scim.enabled}}
 {{ $newList = append $newList ("jans-scim") }}
 {{- end}}
+{{- if .Values.saml.enabled}}
+{{ $newList = append $newList ("jans-saml") }}
+{{- end}}
 {{ toJson $newList }}
-{{- end }}
+{{- end }}
diff --git a/charts/janssen-all-in-one/templates/configmap.yaml b/charts/janssen-all-in-one/templates/configmap.yaml
@@ -192,6 +192,21 @@ data:
   CN_LDAP_TRUSTSTORE_FILE: {{ .Values.cnLdapTruststoreFile }}
   CN_CONFIG_API_PLUGINS: "admin-ui,fido2,scim,user-mgt"
   CN_AIO_COMPONENTS: {{ include "janssen-all-in-one.aioComponents" . | fromJsonArray | join "," | quote}}
+  {{- if .Values.saml.enabled }}
+  QUARKUS_TRANSACTION_MANAGER_ENABLE_RECOVERY: {{ .Values.configmap.quarkusTransactionEnableRecovery | quote }}
+  KC_LOG_LEVEL: {{ .Values.configmap.kcLogLevel | quote }}
+  KC_PROXY: {{ .Values.configmap.kcProxy | quote }}
+  KC_DB: {{ .Values.configmap.kcDbVendor | quote }}
+  KC_DB_USERNAME: {{ .Values.configmap.kcDbUsername | quote }}
+  KC_DB_SCHEMA: {{ .Values.configmap.kcDbSchema | quote }}
+  KC_DB_URL_HOST: {{ .Values.configmap.kcDbUrlHost | quote }}
+  KC_DB_URL_PORT: {{ .Values.configmap.kcDbUrlPort | quote }}
+  KC_DB_URL_DATABASE: {{ .Values.configmap.kcDbUrlDatabase | quote }}
+  KC_DB_URL_PROPERTIES: {{ .Values.configmap.kcDbUrlProperties | quote }}
+  CN_SAML_KC_DB_PASSWORD_FILE: {{ .Values.kcDbPasswordFile | quote }}
+  CN_SAML_KC_ADMIN_CREDENTIALS_FILE: {{ .Values.kcAdminCredentialsFile | quote }}
+  {{- end }}
+
 ---
 
 apiVersion: v1

diff --git a/charts/janssen-all-in-one/templates/deployment.yml b/charts/janssen-all-in-one/templates/deployment.yml
@@ -129,6 +129,11 @@ spec:
             mountPath: {{ .Values.cnSqlPasswordFile }}
             subPath: sql_password
         {{- end }}
+        {{- if .Values.saml.enabled }}
+          - name: kc-db-pass
+            mountPath: {{ .Values.kcDbPasswordFile }}
+            subPath: kc_db_password
+        {{- end }}
         livenessProbe:
 {{- toYaml .Values.livenessProbe | nindent 10 }}
         readinessProbe:
@@ -206,3 +211,8 @@ spec:
             secretName: {{ .Release.Name }}-sql-pass
       {{- end }}
 
+      {{- if .Values.saml.enabled }}
+        - name: kc-db-pass
+          secret:
+            secretName: {{ .Release.Name }}-kc-db-pass
+      {{- end }}
diff --git a/charts/janssen-all-in-one/templates/nginx-ingress.yaml b/charts/janssen-all-in-one/templates/nginx-ingress.yaml
@@ -612,4 +612,54 @@ spec:
                 port:
                   number: 8080
 {{- end }}
-{{- end }}
+{{- end }}
+
+---
+
+{{ if .Values.saml.ingress.samlEnabled -}}
+{{ $fullName := include "janssen-all-in-one.fullname" . -}}
+{{- $ingressPath := index .Values "nginx-ingress" "ingress" "path" -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-saml
+  labels:
+    app: {{ $fullName }}-saml
+{{- if index .Values "nginx-ingress" "ingress" "additionalLabels" }}
+{{ toYaml index .Values "nginx-ingress" "ingress" "additionalLabels" | indent 4 }}
+{{- end }}
+{{- if index .Values "nginx-ingress" "ingress" "samlLabels" }}
+{{ toYaml index .Values "nginx-ingress" "ingress" "samlLabels" | indent 4 }}
+{{- end }}
+  annotations:
+    nginx.ingress.kubernetes.io/affinity: cookie
+    nginx.ingress.kubernetes.io/session-cookie-hash: sha1
+    nginx.ingress.kubernetes.io/session-cookie-name: "saml-route"
+    nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504"
+{{- if index .Values "nginx-ingress" "ingress" "samlAdditionalAnnotations" }}
+{{ toYaml index .Values "nginx-ingress" "ingress" "samlAdditionalAnnotations" | indent 4 }}
+{{- end }}
+{{- if index .Values "nginx-ingress" "ingress" "additionalAnnotations" }}
+{{ toYaml index .Values "nginx-ingress" "ingress" "additionalAnnotations" | indent 4 }}
+{{- end }}
+spec:
+  ingressClassName: {{ index .Values "nginx-ingress" "ingress" "ingressClassName" }}
+{{- if index .Values "nginx-ingress" "ingress" "tlsSecretName" }}
+  tls:
+    - hosts:
+        - {{ .Values.fqdn | quote }}
+      secretName: {{ index .Values "nginx-ingress" "ingress" "tlsSecretName" }}
+{{- end }}
+  rules:
+    - host: {{ .Values.fqdn | quote }}
+      http:
+        paths:
+          - path: /kc
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ .Values.service.name }}
+                port:
+                  number: 8080
+{{- end }}
+{{- end }}
diff --git a/charts/janssen-all-in-one/templates/secret.yaml b/charts/janssen-all-in-one/templates/secret.yaml
@@ -147,3 +147,22 @@ data:
   couchbase_password: {{ .Values.configmap.cnCouchbasePassword | b64enc }}
   couchbase_superuser_password: {{ .Values.configmap.cnCouchbaseSuperUserPassword | b64enc }}
 {{- end}}
+
+{{- if .Values.saml.enabled }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-kc-db-pass
+  labels:
+{{ include "config.labels" . | indent 4 }}
+{{- if .Values.additionalLabels }}
+{{ toYaml .Values.additionalLabels | indent 4 }}
+{{- end }}
+{{- if .Values.additionalAnnotations }}
+  annotations:
+{{ toYaml .Values.additionalAnnotations | indent 4 }}
+{{- end }}
+data:
+  kc_db_password: {{ .Values.configmap.kcDbPassword | b64enc }}
+{{- end}}
diff --git a/charts/janssen-all-in-one/values.yaml b/charts/janssen-all-in-one/values.yaml
@@ -115,6 +115,28 @@ configmap:
   cnLdapCrt: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=
   # -- OpenDJ key string. This must be encoded using base64.
   cnLdapKey: SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=
+  # -- Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details.
+  quarkusTransactionEnableRecovery: true
+  # -- Keycloak logging level
+  kcLogLevel: INFO
+  # -- Keycloak proxy mode (for most deployments, this doesn't need to be changed)
+  kcProxy: edge
+  # -- Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres.
+  kcDbVendor: mysql
+  # -- Keycloak database username
+  kcDbUsername: keycloak
+  # -- Password for Keycloak database access
+  kcDbPassword: Test1234#
+  # -- Keycloak database schema name (note that PostgreSQL may using "public" schema).
+  kcDbSchema: keycloak
+  # -- Keycloak database host
+  kcDbUrlHost: mysql.kc.svc.cluster.local
+  # -- Keycloak database port (default to port 3306 for mysql).
+  kcDbUrlPort: 3306
+  # -- Keycloak database name
+  kcDbUrlDatabase: keycloak
+  # -- Keycloak database connection properties. If using postgresql, the value can be set to empty string.
+  kcDbUrlProperties: "?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4"
 nameOverride: ""
 fullNameOverride: ""
 # -- Redis admin password if `configmap.cnCacheType` is set to `REDIS`.
@@ -406,6 +428,15 @@ link:
   ingress:
     # Enable link endpoints /jans-link
     linkEnabled: true
+saml:
+  # -- Name of the saml service. Please keep it as default.
+  samlServiceName: saml
+  # -- Boolean flag to enable/disable the saml chart.
+  enabled: false
+  # -- Enable endpoints in either istio or nginx ingress depending on users choice
+  ingress:
+    # Enable saml endpoints /kc
+    samlEnabled: false
 
 
 # Global properties
@@ -437,6 +468,10 @@ cnSqlPasswordFile: /etc/jans/conf/sql_password
 cnCouchbasePasswordFile: /etc/jans/conf/couchbase_password
 # -- Path to Couchbase superuser password file
 cnCouchbaseSuperuserPasswordFile: /etc/jans/conf/couchbase_superuser_password
+# -- Path to file contains password for database access
+kcDbPasswordFile: /etc/jans/conf/kc_db_password
+# -- Path to file contains Keycloak admin credentials (username and password)
+kcAdminCredentialsFile: /etc/jans/conf/kc_admin_creds
 
 # ingress properties
 istio:
@@ -518,6 +553,10 @@ nginx-ingress:
     casaLabels: { }
     # -- Casa ingress resource additional annotations.
     casaAdditionalAnnotations: { }
+    # -- SAML config ingress resource labels. key app is taken
+    samlLabels: { }
+    # -- SAML ingress resource additional annotations.
+    samlAdditionalAnnotations: { }
     # -- Additional labels that will be added across all ingress definitions in the format of {mylabel: "myapp"}
     additionalLabels: { }
     # -- Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: "letsencrypt-prod"}
@@ -653,4 +692,4 @@ additionalAnnotations: { }
 # -- Add custom scripts that have been mounted to run before the entrypoint.
 # - /tmp/custom.sh
 # - /tmp/custom2.sh
-customScripts: [ ]
+customScripts: [ ]
diff --git a/charts/janssen/Chart.yaml b/charts/janssen/Chart.yaml
@@ -22,6 +22,10 @@ annotations:
       image: ghcr.io/janssenproject/jans/casa:1.0.22_dev
     - name: scim
       image: ghcr.io/janssenproject/jans/scim:1.0.22_dev
+    - name: link
+      image: ghcr.io/janssenproject/jans/link:1.0.22_dev
+    - name: saml
+      image: ghcr.io/janssenproject/jans/saml:1.0.22_dev
   artifacthub.io/license: Apache-2.0
   artifacthub.io/prerelease: 'true'
   catalog.cattle.io/certified: partner
@@ -85,3 +89,7 @@ dependencies:
     - name: link
       condition: global.link.enabled
       version: 1.0.22-dev
+
+    - name: saml
+      condition: global.saml.enabled
+      version: 1.0.22-dev