feat: add rh-keycloak wrapper chart with short-lived ExternalSecret lifecycle#137
feat: add rh-keycloak wrapper chart with short-lived ExternalSecret lifecycle#137minmzzhang wants to merge 1 commit into
Conversation
minmzzhang
requested review from
mlorenzofr,
p-rog and
sabre1041
and removed request for
sabre1041
mlorenzofr
left a comment
mlorenzofr
left a comment
There was a problem hiding this comment.
We need to rebase after merge #135
- Add
extraValueFiles...tovalues-hub.yaml - Add
rhbk:to the beginning ofoverrides/values-keycloak-network-policy.yamland fix the indentation
Apart from that, everything else has worked correctly
minmzzhang
force-pushed
the
one-shot-keycloak-users
branch
from
64360bb to
2d728b4
Compare
rebased the latest main and force pushed. |
|
Depends on validatedpatterns/rhbk-chart#15 |
mlorenzofr
left a comment
mlorenzofr
left a comment
There was a problem hiding this comment.
Tested and everything is fine
Once we have the merged validatedpatterns/rhbk-chart#15, we could also merge this PR
LGTM
|
@minmzzhang I have a feeling that this update will break applied Keycloak network policies: #135 |
Never mind, I see that you covered already compatibility. Great job! |
p-rog
left a comment
p-rog
left a comment
There was a problem hiding this comment.
LGTM, only address the merge conflicts.
minmzzhang
force-pushed
the
one-shot-keycloak-users
branch
2 times, most recently
from
00553bc to
163be93
Compare
minmzzhang
changed the title
minmzzhang
force-pushed
the
one-shot-keycloak-users
branch
2 times, most recently
from
a72a14d to
a01c90c
Compare
…ifecycle Add a wrapper chart (charts/rh-keycloak) that consumes the rhbk chart as a dependency and configures keycloakUsers ExternalSecret with a short-lived ArgoCD hook lifecycle: - ExternalSecret annotated as a Sync hook, deleted by HookSucceeded - creationPolicy: Orphan + deletionPolicy: Retain ensures the Secret survives ExternalSecret deletion - A simplified PostSync Job deletes the keycloak-users Secret by name after Keycloak realm import consumes it (security hygiene) - Conditional NetworkPolicy for the cleanup Job when default-deny is enabled Switch values-hub.yaml from the remote rhbk chart to the local rh-keycloak wrapper chart path. Requires rhbk-chart >= 0.0.12 (lifecycle management for ExternalSecrets). Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
force-pushed
the
one-shot-keycloak-users
branch
from
a01c90c to
af62d3e
Compare
sabre1041
left a comment
sabre1041
left a comment
There was a problem hiding this comment.
LGTM. Works like a charm!
4 participants
Summary
charts/rh-keycloak) that consumes therhbkchart as a dependency and configures thekeycloakUsersExternalSecret with a short-lived ArgoCD hook lifecyclevalues-hub.yamlfrom the remoterhbkchart to the localrh-keycloakwrapper chart pathkeycloak-usersSecret after realm import for security hygieneHow it works
The
keycloakUsersExternalSecret is annotated as an ArgoCD Sync hook withHookSucceededdelete policy and ESO resource policies:keycloak-usersSecret (creationPolicy: Orphan)HookSucceeded+PrunePropagationPolicy=orphan)deletionPolicy: Retain) — ESO can no longer overwrite itkeycloak-usersSecret (no longer needed, contains initial passwords)A conditional NetworkPolicy for the cleanup Job is included for environments with default-deny policies.
Dependencies