-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add identity and keycloak to charts #251
Conversation
Add values related to secrets and documentation
Make a basic copy from operate and adjust names and references. Delete configmap since it doesn't seem to be necessary.
based on given values (and default values) keycloak secret will be deployed
Copy most of the values from operate and adjust them
Introduce the identity as sub chart into ccsm-helm
Add env vars, need to be values later
commons bitnami subchart brings several helper functions/templates which are quite useful.
Adjust identity deployment to reuse keycloak secrets and resolve secret names and service names etc.
The default LoadBalancer is not support on all cloud providers, which causes to not schedule the service
keycloak trim there service name to 20 chars, since wildfly only allows 23 (lol).
Identity depends on keycloak, and keycloak takes a while to start.
Don't worry about the size 😅 mostly because of golden files and tests. The core part is ~300 lines. I kept the commits separated, to show my journey, but I can also rearrange and merge some together if this helps you on reviewing. Like merge CI and Test commits. Let me know if you need that :) |
Integration tests seem to take longer than 10 minutes and go has a default limit of 10 minutes. We increase it to 1 hour. https://terratest.gruntwork.io/docs/testing-best-practices/timeouts-and-logging/
identity has no official image tag yet, this causes integration tests to fail. In order to run the test we set the snapshot tag on identity in values file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
I may not be the right person to review this, to be honest. I tried it out, it works, but I can't really say much about the identity configuration itself 😄
- 🔧 The message I get when installing tells me I installed Tasklist, Operate, Zeebe, Elastic, but nothing about Identity and Keycloak or Postgres (even if it did install them). Would be nice to update the result message.
- ❓ When running, Operate and Tasklist kept crashing and restarting 🤷♂️ Not sure what to make of this. Identity works though 👍
- ❓ Why is keycloak a dependency of identity but not a dependency of the main chart (i.e.
ccsm-helm/Chart.yaml
)? What's the difference in putting it in one or the other? - 🤡 I would've liked to see instead that people bring their own Keycloak, since there's no "official" chart for it and we're now coupled to the bitnami one, but imo that's more of a product decision. Bitnami is probably reliable anyway.
- ❓ Can we get rid of these warnings? e.g.
Dependency zeebe did not declare a repository. Assuming it exists in the charts directory
. It's one for each chart.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, just some missing replacements of operate
with identity
Thanks for your review @npepinpe Regarding your comments:
This makes sense, I missed that.
Hm never had this issue. For me identity crashloops, because of keycloaks unavailability.
I did this for a reason. First, Identity has the dependency to keycloak and not the others and secondly, otherwise the identity chart wouldn't have access to keycloak properties/values which makes the setup here much easier.
Sorry, I might missed to point this out in the slack channel, I will do that next week. I think, I discussed that with @menski and we wanted to keep this simple for now and the decision was made to not bring an own keycloak. This would also make the setup harder, meaning the default configuration for identity and this would contradict a bit in my opinion our expected use case that the user directly want to set up ccsm and use it in prod (without too much configuration). I think what we can do is to add a condition for keycloak, to be able to disable it. But I wouldn't do that per default. We decided for bitnami because we assume this to be stable / maintained enough.
Be aware that you see this only, because you directly installed the chart from the filesystem. This will not happen if the chart is packaged. |
Co-authored-by: Sebastian Menski <sebastian@menski.org>
fd362c5
to
b40befc
Compare
Hey @menski thanks for your review!
Yeah sorry, somehow missed that. I have applied your suggestions, are you willing to accept the PR ? :) |
I now added identity to the install (release) notes. Default enabled:
Identity disabled:
\cc @npepinpe |
Bitnami Common is part of keycloak, so it doesn't need to be imported directly. Remove condition, identity is anyway not part of the installation if disabled
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some comments and questions from my side
dependencies: | ||
- name: keycloak | ||
repository: "https://charts.bitnami.com/bitnami" | ||
version: 7.1.6 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
version: 7.1.6 | |
version: 7.1.6 | |
name: {{ include "common.secrets.name" (dict "existingSecret" .Values.keycloak.auth.existingSecret "context" $) }} | ||
key: admin-password | ||
{{- else }} | ||
valueFrom: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it correct that there are two valueFrom:
used here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes this is depending on the .Values.keycloak.auth.existingSecret
only one branch is taken here :)
Co-authored-by: dlavrenuek <20122620+dlavrenuek@users.noreply.github.com>
Thanks to all reviewers 🙇 👍 |
Breakthrough:
Manually tested via:
helm repo add bitnami https://charts.bitnami.com/bitnami helm dependency update charts/ccsm-helm/charts/identity/ helm install zell-helm-test charts/ccsm-helm/ --set zeebe.enabled=false --set operate.enabled=false --set tasklist.enabled=false --set elasticsearch.enabled=false --set identity.image.tag=SNAPSHOT k port-forward svc/zell-helm-test-identity 8080:80 k port-forward svc/zell-helm-test-keycl 18080:80 # without that we were not able to see the identity login page?
Added multiple new template tests. Integration tests verifies that pods become ready at least, more to come.
related #127