Skip to content

updated opcon so Keycloak uses OCP certs #1747

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ibm-ci-bot merged 1 commit into from
Jan 11, 2024
Merged

updated opcon so Keycloak uses OCP certs #1747

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 38 additions & 35 deletions bundle/manifests/ibm-common-service-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,11 @@ metadata:
"apiVersion": "operator.ibm.com/v3",
"kind": "CommonService",
"metadata": {
"labels": {
"app.kubernetes.io/instance": "ibm-common-service-operator",
"app.kubernetes.io/managed-by": "ibm-common-service-operator",
"app.kubernetes.io/name": "ibm-common-service-operator"
},
"name": "example-commonservice"
},
"spec": {
Expand All @@ -17,7 +22,7 @@ metadata:
]
capabilities: Seamless Upgrades
containerImage: icr.io/cpopen/common-service-operator:latest
createdAt: "2024-01-04T22:59:50Z"
createdAt: "2024-01-10T21:50:05Z"
description: The IBM Cloud Pak foundational services operator is used to deploy IBM foundational services.
nss.operator.ibm.com/managed-operators: ibm-common-service-operator
nss.operator.ibm.com/managed-webhooks: ""
Expand Down Expand Up @@ -45,9 +50,9 @@ spec:
kind: CommonService
name: commonservices.operator.ibm.com
specDescriptors:
- displayName: License
- description: License information for this instance. You must accept the license.
displayName: License
path: license
description: License information for this instance. You must accept the license.
- description: Read and accept the license that is applicable to your installation. For more information, see https://ibm.biz/icpfs39license
displayName: Accept
path: license.accept
Expand All @@ -71,78 +76,76 @@ spec:
displayName: Size
path: size
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:select:starterset
- urn:alm:descriptor:com.tectonic.ui:select:starter
- urn:alm:descriptor:com.tectonic.ui:select:small
- urn:alm:descriptor:com.tectonic.ui:select:medium
- urn:alm:descriptor:com.tectonic.ui:select:large
- urn:alm:descriptor:com.tectonic.ui:select:production
- urn:alm:descriptor:com.tectonic.ui:select:starterset
- urn:alm:descriptor:com.tectonic.ui:select:starter
- urn:alm:descriptor:com.tectonic.ui:select:small
- urn:alm:descriptor:com.tectonic.ui:select:medium
- urn:alm:descriptor:com.tectonic.ui:select:large
- urn:alm:descriptor:com.tectonic.ui:select:production
- displayName: Operator namespace
path: operatorNamespace
x-descriptors:
- urn:alm:descriptor:io.kubernetes:Namespace
- urn:alm:descriptor:io.kubernetes:Namespace
- displayName: Services namespace
path: servicesNamespace
x-descriptors:
- urn:alm:descriptor:io.kubernetes:Namespace
# ----------- Advanced Section -----------
- urn:alm:descriptor:io.kubernetes:Namespace
- displayName: Storage class
path: storageClass
x-descriptors:
- urn:alm:descriptor:io.kubernetes:StorageClass
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:StorageClass
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: FIPS mode
path: fipsEnabled
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- urn:alm:descriptor:com.tectonic.ui:advanced
- description: The profile controller for IBM Cloud Pak foundational services
displayName: ProfileController
path: profileController
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:select:default
- urn:alm:descriptor:com.tectonic.ui:select:commonservice
- urn:alm:descriptor:com.tectonic.ui:select:turbonomic
- urn:alm:descriptor:com.tectonic.ui:select:vpa
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:select:default
- urn:alm:descriptor:com.tectonic.ui:select:commonservice
- urn:alm:descriptor:com.tectonic.ui:select:turbonomic
- urn:alm:descriptor:com.tectonic.ui:select:vpa
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Identity management custom hostname
path: routeHost
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Identity management custom certificates
path: BYOCACertificate
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:booleanSwitch
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Identity management default admin username
path: defaultAdminUser
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Custom OLM catalog name
path: catalogName
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: Custom OLM catalog namespace
path: catalogNamespace
x-descriptors:
- urn:alm:descriptor:io.kubernetes:Namespace
- urn:alm:descriptor:com.tectonic.ui:advanced
- urn:alm:descriptor:io.kubernetes:Namespace
- urn:alm:descriptor:com.tectonic.ui:advanced
- displayName: OLM Install Plan approval mode
path: installPlanApproval
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:select:Automatic
- urn:alm:descriptor:com.tectonic.ui:select:Manual
- urn:alm:descriptor:com.tectonic.ui:advanced
# ----------- Hidden Section -----------
- urn:alm:descriptor:com.tectonic.ui:select:Automatic
- urn:alm:descriptor:com.tectonic.ui:select:Manual
- urn:alm:descriptor:com.tectonic.ui:advanced
- path: manualManagement
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:hidden
- urn:alm:descriptor:com.tectonic.ui:hidden
- path: features
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:hidden
- urn:alm:descriptor:com.tectonic.ui:hidden
- path: services
x-descriptors:
- urn:alm:descriptor:com.tectonic.ui:hidden
- urn:alm:descriptor:com.tectonic.ui:hidden
statusDescriptors:
- description: Installed Bedrock Operator Name
displayName: Name
Expand Down
9 changes: 9 additions & 0 deletions config/rbac/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,11 +13,20 @@ rules:
- configmaps
resourceNames:
- common-service-maps
- verbs:
- delete
apiGroups:
- ""
resources:
- configmaps
resourceNames:
- cloud-native-postgresql-image-list
- verbs:
- create
- get
- list
- watch
- update
apiGroups:
- ''
resources:
Expand Down
74 changes: 57 additions & 17 deletions controllers/constant/odlm.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -459,22 +459,6 @@ spec:
force: true
kind: OperandBindInfo
name: keycloak-bindinfo
- apiVersion: cert-manager.io/v1
kind: Certificate
force: true
name: cs-keycloak-tls-cert
data:
spec:
commonName: cs-keycloak-service
dnsNames:
- cs-keycloak-service
- cs-keycloak-service.{{ .ServicesNs }}
- cs-keycloak-service.{{ .ServicesNs }}.svc
- cs-keycloak-service.{{ .ServicesNs }}.svc.cluster.local
issuerRef:
kind: Issuer
name: cs-ca-issuer
secretName: cs-keycloak-tls-secret
- apiVersion: v1
kind: ConfigMap
name: cs-keycloak-entrypoint
Expand Down Expand Up @@ -508,6 +492,62 @@ spec:
done
echo "Truststore file built, starting Keycloak ..."
"/opt/keycloak/bin/kc.sh" "$@" --spi-truststore-file-file=${TRUSTSTORE_DIR}/keycloak-truststore.jks --spi-truststore-file-password=changeit --spi-truststore-file-hostname-verification-policy=WILDCARD
- apiVersion: v1
data:
metadata:
annotations:
service.beta.openshift.io/serving-cert-secret-name: cpfs-opcon-cs-keycloak-tls-secret
labels:
app: keycloak
app.kubernetes.io/instance: cs-keycloak
app.kubernetes.io/managed-by: keycloak-operator
operator.ibm.com/opreq-control: 'true'
name: cpfs-opcon-cs-keycloak-service
namespace: {{ .ServicesNs }}
spec:
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: https
port: 8443
protocol: TCP
targetPort: 8443
selector:
app: keycloak
app.kubernetes.io/instance: cs-keycloak
app.kubernetes.io/managed-by: keycloak-operator
sessionAffinity: None
type: ClusterIP
force: true
kind: Service
name: cpfs-opcon-cs-keycloak-service
- apiVersion: v1
data:
stringData:
ca.crt:
templatingValueFrom:
configMapKeyRef:
key: service-ca.crt
name: openshift-service-ca.crt
required: true
tls.crt:
templatingValueFrom:
required: true
secretKeyRef:
key: tls.crt
name: cpfs-opcon-cs-keycloak-tls-secret
tls.key:
templatingValueFrom:
required: true
secretKeyRef:
key: tls.key
name: cpfs-opcon-cs-keycloak-tls-secret
type: kubernetes.io/tls
force: true
kind: Secret
name: cs-keycloak-tls-secret
- apiVersion: route.openshift.io/v1
data:
spec:
Expand Down Expand Up @@ -543,7 +583,7 @@ spec:
termination: reencrypt
to:
kind: Service
name: cs-keycloak-service
name: cpfs-opcon-cs-keycloak-service
wildcardPolicy: None
force: true
kind: Route
Expand Down