Skip to content

Commit

Permalink
feat(cloud-native): add support for keycloak scheduler (#8423)
Browse files Browse the repository at this point in the history 
* feat(cloud-native): add support for keycloak scheduler

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* feat(cloud-native): add configurable logging

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* feat: add charts for kc-scheduler

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* refactor(cloud-native): simplify logging configuration for job

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* chore: add symlink to main entrypoint.sh

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* ci: add docker-jans-kc-scheduler to workflow and dependabot list

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* docs: add docker-jans-kc-scheduler docs

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* fix: add missing HostAliases for Helm charts

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* fix: add hostAliases only if FQDN not registered

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* fix: enable FILE appender-ref to avoid logback status warning

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* chore: update kc-jans-scheduler

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* docs: update reference to docker-jans-kc-scheduler docs

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* fix(charts): ensure kc-scheduler cronjob is enabled only when kc-scheduler and saml are enabled

Signed-off-by: iromli <isman.firmansyah@gmail.com>

---------

Signed-off-by: iromli <isman.firmansyah@gmail.com>
Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>
  • Loading branch information
@iromli @moabu
iromli and moabu committed May 13, 2024
1 parent 14823dd commit abff9b8
Show file tree
Hide file tree
Showing 33 changed files with 1,775 additions and 7 deletions.
10 changes: 10 additions & 0 deletions .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -245,3 +245,13 @@ updates:
directory: /jans-linux-setup/jans_setup/templates/jans-keycloak-link/idp-broker-api
schedule:
interval: daily

- package-ecosystem: docker
directory: /docker-jans-kc-scheduler
schedule:
interval: daily

- package-ecosystem: pip
directory: /docker-jans-kc-scheduler
schedule:
interval: daily
10 changes: 5 additions & 5 deletions .github/workflows/docker_build_image.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,9 @@ on:
workflow_dispatch:
inputs:
services:
description: 'One or set of the docker images. Format as following: "docker-jans-auth-server docker-jans-certmanager docker-jans-config-api docker-jans-configurator docker-jans-fido2 docker-jans-persistence-loader docker-jans-scim docker-jans-monolith docker-jans-loadtesting-jmeter docker-jans-link docker-jans-casa docker-jans-all-in-one docker-jans-saml docker-jans-keycloak-link"'
description: 'One or set of the docker images. Format as following: "docker-jans-auth-server docker-jans-certmanager docker-jans-config-api docker-jans-configurator docker-jans-fido2 docker-jans-persistence-loader docker-jans-scim docker-jans-monolith docker-jans-loadtesting-jmeter docker-jans-link docker-jans-casa docker-jans-all-in-one docker-jans-saml docker-jans-keycloak-link docker-jans-kc-scheduler"'
required: true
default: 'docker-jans-auth-server docker-jans-certmanager docker-jans-config-api docker-jans-configurator docker-jans-fido2 docker-jans-persistence-loader docker-jans-scim docker-jans-monolith docker-jans-loadtesting-jmeter docker-jans-link docker-jans-casa docker-jans-all-in-one docker-jans-saml docker-jans-keycloak-link'
default: 'docker-jans-auth-server docker-jans-certmanager docker-jans-config-api docker-jans-configurator docker-jans-fido2 docker-jans-persistence-loader docker-jans-scim docker-jans-monolith docker-jans-loadtesting-jmeter docker-jans-link docker-jans-casa docker-jans-all-in-one docker-jans-saml docker-jans-keycloak-link docker-jans-kc-scheduler'
cn_version:
description: 'The war version to build the image off'
required: false
Expand All @@ -53,7 +53,7 @@ jobs:
strategy:
max-parallel: 8
matrix:
docker-images: ["auth-server", "certmanager", "config-api", "configurator", "fido2", "persistence-loader", "scim", "monolith", "loadtesting-jmeter", "link", "casa", "all-in-one", "saml", "keycloak-link"]
docker-images: ["auth-server", "certmanager", "config-api", "configurator", "fido2", "persistence-loader", "scim", "monolith", "loadtesting-jmeter", "link", "casa", "all-in-one", "saml", "keycloak-link", "kc-scheduler"]
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
Expand All @@ -78,7 +78,7 @@ jobs:
DEFAULT_ALL=${{ github.event.inputs.services }}
if [ -z "$DEFAULT_ALL" ]
then
DEFAULT_ALL="docker-jans-auth-server docker-jans-certmanager docker-jans-config-api docker-jans-configurator docker-jans-fido2 docker-jans-persistence-loader docker-jans-scim docker-jans-monolith docker-jans-loadtesting-jmeter docker-jans-link docker-jans-casa docker-jans-all-in-one docker-jans-saml docker-jans-keycloak-link"
DEFAULT_ALL="docker-jans-auth-server docker-jans-certmanager docker-jans-config-api docker-jans-configurator docker-jans-fido2 docker-jans-persistence-loader docker-jans-scim docker-jans-monolith docker-jans-loadtesting-jmeter docker-jans-link docker-jans-casa docker-jans-all-in-one docker-jans-saml docker-jans-keycloak-link docker-jans-kc-scheduler"
else
echo "$DEFAULT_ALL"
fi
Expand Down Expand Up @@ -148,7 +148,7 @@ jobs:
# wait for all images in DEFAULT_ALL to be built before building the all-in-one image as it depends on all other images
if [[ "docker-jans-all-in-one" =~ "${{ matrix.docker-images }}" ]]; then
if [[ ${{ github.event_name != 'pull_request' }} ]]; then
TEMP_IMG="auth-server certmanager config-api configurator fido2 persistence-loader scim monolith loadtesting-jmeter link casa saml keycloak-link"
TEMP_IMG="auth-server certmanager config-api configurator fido2 persistence-loader scim monolith loadtesting-jmeter link casa saml keycloak-link kc-scheduler"
for i in $TEMP_IMG; do
echo "Waiting for $i to be built"
sleep 30
Expand Down
22 changes: 22 additions & 0 deletions charts/janssen-all-in-one/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,28 @@ Kubernetes: `>=v1.22.0-0`
| istio.ingress | bool | `false` | Boolean flag that enables using istio gateway for Janssen. This assumes istio ingress is installed and hence the LB is available. |
| istio.namespace | string | `"istio-system"` | The namespace istio is deployed in. The is normally istio-system. |
| istio.tlsSecretName | string | `"istio-tls-certificate"` | |
| kc-scheduler | object | `{"additionalAnnotations":{},"additionalLabels":{},"customScripts":[],"dnsConfig":{},"dnsPolicy":"","enabled":false,"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/kc-scheduler","tag":"1.1.2_dev"},"interval":10,"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]}` | Responsible for synchronizing Keycloak SAML clients |
| kc-scheduler.additionalAnnotations | object | `{}` | Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"} |
| kc-scheduler.additionalLabels | object | `{}` | Additional labels that will be added across the gateway in the format of {mylabel: "myapp"} |
| kc-scheduler.customScripts | list | `[]` | Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh |
| kc-scheduler.dnsConfig | object | `{}` | Add custom dns config |
| kc-scheduler.dnsPolicy | string | `""` | Add custom dns policy |
| kc-scheduler.enabled | bool | `false` | Boolean flag to enable/disable the kc-scheduler cronjob chart. |
| kc-scheduler.image.pullPolicy | string | `"IfNotPresent"` | Image pullPolicy to use for deploying. |
| kc-scheduler.image.pullSecrets | list | `[]` | Image Pull Secrets |
| kc-scheduler.image.repository | string | `"ghcr.io/janssenproject/jans/kc-scheduler"` | Image to use for deploying. |
| kc-scheduler.image.tag | string | `"1.1.2_dev"` | Image tag to use for deploying. |
| kc-scheduler.interval | int | `10` | Interval of running the scheduler (in minutes) |
| kc-scheduler.resources | object | `{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}}` | Resource specs. |
| kc-scheduler.resources.limits.cpu | string | `"300m"` | CPU limit. |
| kc-scheduler.resources.limits.memory | string | `"300Mi"` | Memory limit. |
| kc-scheduler.resources.requests.cpu | string | `"300m"` | CPU request. |
| kc-scheduler.resources.requests.memory | string | `"300Mi"` | Memory request. |
| kc-scheduler.usrEnvs | object | `{"normal":{},"secret":{}}` | Add custom normal and secret envs to the service |
| kc-scheduler.usrEnvs.normal | object | `{}` | Add custom normal envs to the service variable1: value1 |
| kc-scheduler.usrEnvs.secret | object | `{}` | Add custom secret envs to the service variable1: value1 |
| kc-scheduler.volumeMounts | list | `[]` | Configure any additional volumesMounts that need to be attached to the containers |
| kc-scheduler.volumes | list | `[]` | Configure any additional volumes that need to be attached to the pod |
| kcAdminCredentialsFile | string | `"/etc/jans/conf/kc_admin_creds"` | Path to file contains Keycloak admin credentials (username and password) |
| kcDbPasswordFile | string | `"/etc/jans/conf/kc_db_password"` | Path to file contains password for database access |
| lbIp | string | `"22.22.22.22"` | The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if `fqdn` is globally resolvable. |
Expand Down
174 changes: 174 additions & 0 deletions charts/janssen-all-in-one/templates/cronjobs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,3 +166,177 @@ spec:
{{- end }}
restartPolicy: Never
{{- end }}

{{ if and (index .Values "kc-scheduler" "enabled") (.Values.saml.enabled) -}}
kind: CronJob
apiVersion: batch/v1
metadata:
name: {{ include "janssen-all-in-one.fullname" . }}-kc-scheduler
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Release.Name }}-{{ include "janssen-all-in-one.name" . }}-kc-scheduler
{{ include "janssen-all-in-one.labels" . | indent 4 }}
{{- if (index .Values "kc-scheduler" "additionalLabels") }}
{{ toYaml (index .Values "kc-scheduler" "additionalLabels") | indent 4 }}
{{- end }}
{{- if (index .Values "kc-scheduler" "additionalAnnotations") }}
annotations:
{{ toYaml (index .Values "kc-scheduler" "additionalAnnotations") | indent 4 }}
{{- end }}
spec:
schedule: "@every {{ index .Values "kc-scheduler" "interval" }}m"
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
spec:
{{- with (index .Values "kc-scheduler" "image" "pullSecrets") }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ index .Values "kc-scheduler" "dnsPolicy" | quote }}
{{- with (index .Values "kc-scheduler" "dnsConfig") }}
dnsConfig:
{{ toYaml . | indent 12 }}
{{- end }}
containers:
- name: {{ include "janssen-all-in-one.name" . }}-kc-scheduler
{{- if (index .Values "kc-scheduler" "customScripts") }}
command:
- /bin/sh
- -c
- |
{{- with (index .Values "kc-scheduler" "customScripts") }}
{{- toYaml . | replace "- " "" | nindent 20}}
{{- end }}
/app/bin/entrypoint.sh
{{- end}}
image: "{{ index .Values "kc-scheduler" "image" "repository" }}:{{ index .Values "kc-scheduler" "image" "tag" }}"
env:
{{- include "janssen-all-in-one.usr-envs" . | indent 16 }}
{{- include "janssen-all-in-one.usr-secret-envs" . | indent 16 }}
imagePullPolicy: {{ index .Values "kc-scheduler" "image" "pullPolicy" }}
lifecycle:
{{- toYaml (index .Values "kc-scheduler" "lifecycle") | nindent 16 }}
volumeMounts:
{{ if or (eq .Values.configSecretAdapter "aws") (eq .Values.configAdapterName "aws") }}
- mountPath: {{ .Values.cnAwsSharedCredentialsFile }}
name: aws-shared-credential-file
subPath: aws_shared_credential_file
- mountPath: {{ .Values.cnAwsConfigFile }}
name: aws-config-file
subPath: aws_config_file
- mountPath: {{ .Values.cnAwsSecretsReplicaRegionsFile }}
name: aws-secrets-replica-regions
subPath: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.configSecretAdapter "google") (eq .Values.cnPersistenceType "spanner") }}
- mountPath: {{ .Values.cnGoogleApplicationCredentials }}
name: google-sa
subPath: google-credentials.json
{{- end }}
{{ if eq .Values.configSecretAdapter "vault" }}
- name: vault
mountPath: /etc/certs/vault_role_id
subPath: vault_role_id
- name: vault
mountPath: /etc/certs/vault_secret_id
subPath: vault_secret_id
{{- end }}
{{- with (index .Values "kc-scheduler" "volumeMounts") }}
{{- toYaml . | nindent 16 }}
{{- end }}
{{- if or (eq .Values.cnPersistenceType "couchbase") (eq .Values.cnPersistenceType "hybrid") }}
{{- if not .Values.istio.enabled }}
- name: cb-crt
mountPath: "/etc/certs/couchbase.crt"
subPath: couchbase.crt
{{- end }}
- name: cb-pass
mountPath: {{ .Values.cnCouchbasePasswordFile }}
subPath: couchbase_password
{{- end }}
{{- if or (eq .Values.cnPersistenceType "sql") (eq .Values.cnPersistenceType "hybrid") }}
- name: sql-pass
mountPath: {{ .Values.cnSqlPasswordFile }}
subPath: sql_password
{{- end }}
envFrom:
- configMapRef:
name: {{ .Release.Name }}-config-cm
{{ if .Values.usrEnvs.secret }}
- secretRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
{{ if .Values.usrEnvs.normal }}
- configMapRef:
name: {{ .Release.Name }}-global-user-custom-envs
{{- end }}
{{- if .Values.testEnviroment }}
resources: {}
{{- else }}
resources:
{{- toYaml (index .Values "kc-scheduler" "resources") | nindent 16 }}
{{- end }}
volumes:
{{- with (index .Values "kc-scheduler" "volumes") }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{ if or (eq .Values.configSecretAdapter "aws") (eq .Values.configAdapterName "aws") }}
- name: aws-shared-credential-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_shared_credential_file
path: aws_shared_credential_file
- name: aws-config-file
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_config_file
path: aws_config_file
- name: aws-secrets-replica-regions
secret:
secretName: {{ .Release.Name }}-aws-config-creds
items:
- key: aws_secrets_replica_regions
path: aws_secrets_replica_regions
{{- end }}
{{ if or (eq .Values.configSecretAdapter "google") (eq .Values.cnPersistenceType "spanner") }}
- name: google-sa
secret:
secretName: {{ .Release.Name }}-google-sa
{{- end }}
{{ if eq .Values.configSecretAdapter "vault" }}
- name: vault
secret:
secretName: {{ .Release.Name }}-vault
items:
- key: vault_role_id
path: vault_role_id
- key: vault_secret_id
path: vault_secret_id
{{- end }}
{{- if or (eq .Values.cnPersistenceType "couchbase") (eq .Values.cnPersistenceType "hybrid") }}
{{- if not .Values.istio.enabled }}
- name: cb-crt
secret:
secretName: {{ .Release.Name }}-cb-crt
{{- end }}
{{- end }}
{{- if or (eq .Values.cnPersistenceType "sql") (eq .Values.cnPersistenceType "hybrid") }}
- name: sql-pass
secret:
secretName: {{ .Release.Name }}-sql-pass
{{- end }}
restartPolicy: Never
{{- if not .Values.isFqdnRegistered }}
hostAliases:
- ip: {{ .Values.lbIp }}
hostnames:
- {{ .Values.fqdn }}
{{- end }}
{{- end }}
59 changes: 59 additions & 0 deletions charts/janssen-all-in-one/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -732,3 +732,62 @@ additionalAnnotations: { }
# - /tmp/custom.sh
# - /tmp/custom2.sh
customScripts: [ ]

# -- Responsible for synchronizing Keycloak SAML clients
kc-scheduler:
# -- Add custom normal and secret envs to the service
usrEnvs:
# -- Add custom normal envs to the service
# variable1: value1
normal: {}
# -- Add custom secret envs to the service
# variable1: value1
secret: {}
# -- Add custom dns policy
dnsPolicy: ""
# -- Add custom dns config
dnsConfig: {}
image:
# -- Image pullPolicy to use for deploying.
pullPolicy: IfNotPresent
# -- Image to use for deploying.
repository: ghcr.io/janssenproject/jans/kc-scheduler
# -- Image tag to use for deploying.
tag: 1.1.2_dev
# -- Image Pull Secrets
pullSecrets: [ ]
# -- Resource specs.
resources:
limits:
# -- CPU limit.
cpu: 300m
# -- Memory limit.
memory: 300Mi
requests:
# -- CPU request.
cpu: 300m
# -- Memory request.
memory: 300Mi
# -- Interval of running the scheduler (in minutes)
interval: 10
# -- Configure any additional volumes that need to be attached to the pod
volumes: []
# -- Configure any additional volumesMounts that need to be attached to the containers
volumeMounts: []
# Actions on lifecycle events such as postStart and preStop
# Example
# lifecycle:
# postStart:
# exec:
# command: ["sh", "-c", "mkdir /opt/jans/jetty/jans-auth/custom/static/stylesheet/"]
lifecycle: {}
# -- Additional labels that will be added across the gateway in the format of {mylabel: "myapp"}
additionalLabels: { }
# -- Additional annotations that will be added across the gateway in the format of {cert-manager.io/issuer: "letsencrypt-prod"}
additionalAnnotations: {}
# -- Add custom scripts that have been mounted to run before the entrypoint.
# - /tmp/custom.sh
# - /tmp/custom2.sh
customScripts: []
# -- Boolean flag to enable/disable the kc-scheduler cronjob chart.
enabled: false
6 changes: 6 additions & 0 deletions charts/janssen/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ annotations:
image: ghcr.io/janssenproject/jans/link:1.1.2_dev
- name: saml
image: ghcr.io/janssenproject/jans/saml:1.1.2_dev
- name: kc-scheduler
image: ghcr.io/janssenproject/jans/kc-scheduler:1.1.2_dev
artifacthub.io/license: Apache-2.0
artifacthub.io/prerelease: 'true'
catalog.cattle.io/certified: partner
Expand Down Expand Up @@ -95,3 +97,7 @@ dependencies:
- name: cn-istio-ingress
condition: global.istio.ingress
version: 1.1.2-dev

- name: kc-scheduler
condition: global.kc-scheduler.enabled
version: 1.1.2-dev
Loading

0 comments on commit abff9b8

Please sign in to comment.