[oidc] make keycloak deletable

Signed-off-by: kklinch0 <kklinch0@gmail.com>

packages/apps/tenant/Chart.yaml

@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.11.0
+version: 1.11.1

packages/apps/tenant/templates/info.yaml

@@ -1,6 +1,6 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }}
-{{- if $oidcEnabled }}
+{{- if eq $oidcEnabled "true" }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:

packages/apps/tenant/templates/keycloakgroups.yaml

@@ -1,6 +1,6 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }}
-{{- if $oidcEnabled }}
+{{- if eq $oidcEnabled "true" }}
 apiVersion: v1.edp.epam.com/v1
 kind: KeycloakRealmGroup
 metadata:

packages/apps/versions_map

@@ -137,7 +137,8 @@ tcp-balancer 0.4.1 62cb694d
 tcp-balancer 0.4.2 4369b031
 tcp-balancer 0.5.0 HEAD
 tenant 1.10.0 4369b031
-tenant 1.11.0 HEAD
+tenant 1.11.0 70f82667
+tenant 1.11.1 HEAD
 virtual-machine 0.1.4 f2015d65
 virtual-machine 0.1.5 263e47be
 virtual-machine 0.2.0 c0685f43

packages/core/platform/templates/helmreleases.yaml

@@ -4,6 +4,7 @@
 {{- $dependencyNamespaces := dict }}
 {{- $disabledComponents := splitList "," ((index $cozyConfig.data "bundle-disable") | default "") }}
 {{- $enabledComponents := splitList "," ((index $cozyConfig.data "bundle-enable") | default "") }}
+{{- $oidcEnabled := (index (default dict $cozyConfig.data) "oidc-enabled") | default "false" | eq "true" }}
 
 {{/* collect dependency namespaces from releases */}}
 {{- range $x := $bundle.releases }}
@@ -14,7 +15,18 @@
 
 {{- $shouldInstall := true }}
 {{- $shouldDelete := false }}
-{{- if or (has $x.name $disabledComponents) (and ($x.optional) (not (has $x.name $enabledComponents))) }}
+{{- $notEnabledOptionalComponent := and ($x.optional) (not (has $x.name $enabledComponents)) }}
+{{- $disabledComponent := has $x.name $disabledComponents }}
+{{- $isKeycloakComponent := or (eq $x.name "keycloak") (eq $x.name "keycloak-operator") (eq $x.name "keycloak-configure") }}
+
+{{- if and $isKeycloakComponent (not $oidcEnabled) }}
+{{-   $shouldInstall = false }}
+{{-   if $.Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2" }}
+{{-     if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" $x.namespace $x.name }}
+{{-       $shouldDelete = true }}
+{{-     end }}
+{{-   end }}
+{{- else if or $disabledComponent $notEnabledOptionalComponent }}
 {{-   $shouldInstall = false }}
 {{-   if $.Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2" }}
 {{-     if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" $x.namespace $x.name }}

packages/system/keycloak-configure/templates/delete.yaml

@@ -0,0 +1,135 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "10"
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+  name: {{ .Release.Name }}-flux-teardown
+spec:
+  template:
+    spec:
+      serviceAccountName: {{ .Release.Name }}-flux-teardown
+      restartPolicy: Never
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: "NoSchedule"
+      containers:
+        - name: kubectl
+          image: docker.io/clastix/kubectl:v1.32
+          command:
+            - /bin/sh
+            - -c
+            - |
+                for resource in KeycloakRealmGroup KeycloakClientScope KeycloakClient; do
+                  kubectl get "$resource" -A --no-headers -o custom-columns="NAMESPACE:.metadata.namespace,NAME:.metadata.name" | \
+                  while read -r namespace name; do
+                    kubectl patch "$resource" "$name" -n "$namespace" --type=merge -p '{"metadata":{"finalizers":[]}}'
+                  done
+                done
+
+                for resource in ClusterKeycloakRealm ClusterKeycloak; do
+                  kubectl get "$resource" --no-headers -o custom-columns="NAME:.metadata.name" | \
+                  while read -r name; do
+                    kubectl patch "$resource" "$name" --type=merge -p '{"metadata":{"finalizers":[]}}'
+                  done
+                done
+
+                kubectl patch hr keycloak-configure -n cozy-system --type=merge -p '{"metadata":{"finalizers":[]}}'
+
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-flux-teardown
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-failed
+    helm.sh/hook-weight: "0"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    "helm.sh/hook": pre-install,post-install,pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+    "helm.sh/hook-weight": "5"
+  name: {{ .Release.Name }}-flux-teardown
+rules:
+  - apiGroups:
+      - "v1.edp.epam.com"
+    resources:
+      - keycloakrealmgroups
+      - keycloakclientscopes
+      - keycloakclients
+      - clusterkeycloakrealms
+      - clusterkeycloaks
+      - keycloakrealms
+      - keycloakrealmusers
+      - keycloakrealmroles
+      - keycloakrealmidentityproviders
+      - keycloakrealmcomponents
+      - keycloakauthflows
+      - keycloaks
+    verbs:
+      - get
+      - list
+      - delete
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Release.Name }}-flux-teardown
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Release.Name }}-flux-teardown
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-flux-teardown
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    "helm.sh/hook": pre-install,post-install,pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+    "helm.sh/hook-weight": "5"
+  name: {{ .Release.Name }}-flux-teardown
+rules:
+  - apiGroups:
+      - "helm.toolkit.fluxcd.io"
+    resources:
+      - helmreleases
+    verbs:
+      - get
+      - list
+      - delete
+      - watch
+      - patch
+    resourceNames:
+      - {{ .Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed
+    helm.sh/hook-weight: "5"
+  name: {{ .Release.Name }}-flux-teardown
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}-flux-teardown
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-flux-teardown
+    namespace: {{ .Release.Namespace }}