From 1faf40cd81d87cf583f85fb9c01d0567a94aeb33 Mon Sep 17 00:00:00 2001 From: kklinch0 Date: Thu, 10 Jul 2025 20:10:51 +0300 Subject: [PATCH] [oidc] make keycloak deletable Signed-off-by: kklinch0 --- packages/apps/tenant/Chart.yaml | 2 +- packages/apps/tenant/templates/info.yaml | 2 +- .../apps/tenant/templates/keycloakgroups.yaml | 2 +- packages/apps/versions_map | 3 +- .../core/platform/templates/helmreleases.yaml | 14 +- .../keycloak-configure/templates/delete.yaml | 135 ++++++++++++++++++ 6 files changed, 153 insertions(+), 5 deletions(-) create mode 100644 packages/system/keycloak-configure/templates/delete.yaml diff --git a/packages/apps/tenant/Chart.yaml b/packages/apps/tenant/Chart.yaml index b11ee15c..0839086b 100644 --- a/packages/apps/tenant/Chart.yaml +++ b/packages/apps/tenant/Chart.yaml @@ -4,4 +4,4 @@ description: Separated tenant namespace icon: /logos/tenant.svg type: application -version: 1.11.0 +version: 1.11.1 diff --git a/packages/apps/tenant/templates/info.yaml b/packages/apps/tenant/templates/info.yaml index 08e32329..59aa920a 100644 --- a/packages/apps/tenant/templates/info.yaml +++ b/packages/apps/tenant/templates/info.yaml @@ -1,6 +1,6 @@ {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} {{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }} -{{- if $oidcEnabled }} +{{- if eq $oidcEnabled "true" }} apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: diff --git a/packages/apps/tenant/templates/keycloakgroups.yaml b/packages/apps/tenant/templates/keycloakgroups.yaml index cd759eab..1f4cc957 100644 --- a/packages/apps/tenant/templates/keycloakgroups.yaml +++ b/packages/apps/tenant/templates/keycloakgroups.yaml @@ -1,6 +1,6 @@ {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }} {{- $oidcEnabled := index $cozyConfig.data "oidc-enabled" }} -{{- if $oidcEnabled }} +{{- if eq $oidcEnabled "true" }} apiVersion: v1.edp.epam.com/v1 kind: KeycloakRealmGroup metadata: diff --git a/packages/apps/versions_map b/packages/apps/versions_map index e8f31376..7e106dc6 100644 --- a/packages/apps/versions_map +++ b/packages/apps/versions_map @@ -137,7 +137,8 @@ tcp-balancer 0.4.1 62cb694d tcp-balancer 0.4.2 4369b031 tcp-balancer 0.5.0 HEAD tenant 1.10.0 4369b031 -tenant 1.11.0 HEAD +tenant 1.11.0 70f82667 +tenant 1.11.1 HEAD virtual-machine 0.1.4 f2015d65 virtual-machine 0.1.5 263e47be virtual-machine 0.2.0 c0685f43 diff --git a/packages/core/platform/templates/helmreleases.yaml b/packages/core/platform/templates/helmreleases.yaml index 17b373be..269f3750 100644 --- a/packages/core/platform/templates/helmreleases.yaml +++ b/packages/core/platform/templates/helmreleases.yaml @@ -4,6 +4,7 @@ {{- $dependencyNamespaces := dict }} {{- $disabledComponents := splitList "," ((index $cozyConfig.data "bundle-disable") | default "") }} {{- $enabledComponents := splitList "," ((index $cozyConfig.data "bundle-enable") | default "") }} +{{- $oidcEnabled := (index (default dict $cozyConfig.data) "oidc-enabled") | default "false" | eq "true" }} {{/* collect dependency namespaces from releases */}} {{- range $x := $bundle.releases }} @@ -14,7 +15,18 @@ {{- $shouldInstall := true }} {{- $shouldDelete := false }} -{{- if or (has $x.name $disabledComponents) (and ($x.optional) (not (has $x.name $enabledComponents))) }} +{{- $notEnabledOptionalComponent := and ($x.optional) (not (has $x.name $enabledComponents)) }} +{{- $disabledComponent := has $x.name $disabledComponents }} +{{- $isKeycloakComponent := or (eq $x.name "keycloak") (eq $x.name "keycloak-operator") (eq $x.name "keycloak-configure") }} + +{{- if and $isKeycloakComponent (not $oidcEnabled) }} +{{- $shouldInstall = false }} +{{- if $.Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2" }} +{{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" $x.namespace $x.name }} +{{- $shouldDelete = true }} +{{- end }} +{{- end }} +{{- else if or $disabledComponent $notEnabledOptionalComponent }} {{- $shouldInstall = false }} {{- if $.Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2" }} {{- if lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" $x.namespace $x.name }} diff --git a/packages/system/keycloak-configure/templates/delete.yaml b/packages/system/keycloak-configure/templates/delete.yaml new file mode 100644 index 00000000..99abd6e6 --- /dev/null +++ b/packages/system/keycloak-configure/templates/delete.yaml @@ -0,0 +1,135 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "10" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed + name: {{ .Release.Name }}-flux-teardown +spec: + template: + spec: + serviceAccountName: {{ .Release.Name }}-flux-teardown + restartPolicy: Never + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: "NoSchedule" + containers: + - name: kubectl + image: docker.io/clastix/kubectl:v1.32 + command: + - /bin/sh + - -c + - | + for resource in KeycloakRealmGroup KeycloakClientScope KeycloakClient; do + kubectl get "$resource" -A --no-headers -o custom-columns="NAMESPACE:.metadata.namespace,NAME:.metadata.name" | \ + while read -r namespace name; do + kubectl patch "$resource" "$name" -n "$namespace" --type=merge -p '{"metadata":{"finalizers":[]}}' + done + done + + for resource in ClusterKeycloakRealm ClusterKeycloak; do + kubectl get "$resource" --no-headers -o custom-columns="NAME:.metadata.name" | \ + while read -r name; do + kubectl patch "$resource" "$name" --type=merge -p '{"metadata":{"finalizers":[]}}' + done + done + + kubectl patch hr keycloak-configure -n cozy-system --type=merge -p '{"metadata":{"finalizers":[]}}' + + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-flux-teardown + annotations: + helm.sh/hook: pre-delete + helm.sh/hook-delete-policy: before-hook-creation,hook-failed + helm.sh/hook-weight: "0" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + "helm.sh/hook": pre-install,post-install,pre-delete + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed + "helm.sh/hook-weight": "5" + name: {{ .Release.Name }}-flux-teardown +rules: + - apiGroups: + - "v1.edp.epam.com" + resources: + - keycloakrealmgroups + - keycloakclientscopes + - keycloakclients + - clusterkeycloakrealms + - clusterkeycloaks + - keycloakrealms + - keycloakrealmusers + - keycloakrealmroles + - keycloakrealmidentityproviders + - keycloakrealmcomponents + - keycloakauthflows + - keycloaks + verbs: + - get + - list + - delete + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-flux-teardown +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Release.Name }}-flux-teardown +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-flux-teardown + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + "helm.sh/hook": pre-install,post-install,pre-delete + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed + "helm.sh/hook-weight": "5" + name: {{ .Release.Name }}-flux-teardown +rules: + - apiGroups: + - "helm.toolkit.fluxcd.io" + resources: + - helmreleases + verbs: + - get + - list + - delete + - watch + - patch + resourceNames: + - {{ .Release.Name }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + helm.sh/hook: pre-delete + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation,hook-failed + helm.sh/hook-weight: "5" + name: {{ .Release.Name }}-flux-teardown +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-flux-teardown +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-flux-teardown + namespace: {{ .Release.Namespace }}