Added trusted bundles management

api/v1alpha1/keycloak_types.go

@@ -40,8 +40,8 @@ type KeycloakSpec struct {
 	Instances *int32 `json:"instances"`
 
 	// +optional
-	// Truststore configurations
-	Truststore []Truststore `json:"truststore,omitempty"`
+	// Trusted CA bundle from configmap
+	TrustedCABundles *v1.LocalObjectReference `json:"trustedCABundles,omitempty"`
 
 	// +optional
 	// Admin credentials
@@ -62,11 +62,6 @@ type AdminUser struct {
 	Password SecretOption `json:"password,omitempty"`
 }
 
-type Truststore struct {
-	File     SecretOption          `json:"file,omitempty"`
-	Password *v1.SecretKeySelector `json:"password,omitempty"`
-}
-
 type Features struct {
 	Enabled  []string `json:"enabled,omitempty"`
 	Disabled []string `json:"disabled,omitempty"`

catalog/channels.yaml

@@ -2,6 +2,8 @@ schema: olm.channel
 package: rhbk-operator
 name: preview
 entries:
+  - name: rhbk-operator.v0.0.4
+    replaces: rhbk-operator.v0.0.3
   - name: rhbk-operator.v0.0.3
     replaces: rhbk-operator.v0.0.2
   - name: rhbk-operator.v0.0.2

config/crd/bases/sso.stakater.com_keycloaks.yaml

@@ -334,69 +334,22 @@ spec:
                   - url
                   type: object
                 type: array
-              truststore:
-                description: Truststore configurations
-                items:
-                  properties:
-                    file:
-                      properties:
-                        secret:
-                          description: SecretKeySelector selects a key of a Secret.
-                          properties:
-                            key:
-                              description: The key of the secret to select from.  Must
-                                be a valid secret key.
-                              type: string
-                            name:
-                              default: ""
-                              description: |-
-                                Name of the referent.
-                                This field is effectively required, but due to backwards compatibility is
-                                allowed to be empty. Instances of this type with an empty value here are
-                                almost certainly wrong.
-                                TODO: Add other useful fields. apiVersion, kind, uid?
-                                More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                                TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
-                              type: string
-                            optional:
-                              description: Specify whether the Secret or its key must
-                                be defined
-                              type: boolean
-                          required:
-                          - key
-                          type: object
-                          x-kubernetes-map-type: atomic
-                        value:
-                          type: string
-                      type: object
-                    password:
-                      description: SecretKeySelector selects a key of a Secret.
-                      properties:
-                        key:
-                          description: The key of the secret to select from.  Must
-                            be a valid secret key.
-                          type: string
-                        name:
-                          default: ""
-                          description: |-
-                            Name of the referent.
-                            This field is effectively required, but due to backwards compatibility is
-                            allowed to be empty. Instances of this type with an empty value here are
-                            almost certainly wrong.
-                            TODO: Add other useful fields. apiVersion, kind, uid?
-                            More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                            TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
-                          type: string
-                        optional:
-                          description: Specify whether the Secret or its key must
-                            be defined
-                          type: boolean
-                      required:
-                      - key
-                      type: object
-                      x-kubernetes-map-type: atomic
-                  type: object
-                type: array
+              trustedCABundles:
+                description: Trusted CA bundle from configmap
+                properties:
+                  name:
+                    default: ""
+                    description: |-
+                      Name of the referent.
+                      This field is effectively required, but due to backwards compatibility is
+                      allowed to be empty. Instances of this type with an empty value here are
+                      almost certainly wrong.
+                      TODO: Add other useful fields. apiVersion, kind, uid?
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
             required:
             - database
             - instances

config/samples/sso_v1alpha1_keycloak.yaml

@@ -34,9 +34,9 @@ spec:
       secret:
         name: rhbk-pguser-rhbk
         key: password
-#  providers:
-#    - name: keycloak-metrics-spi-6.0.0.jar
-#      url:
-#        secret:
-#          name: custom-spi
-#          key: metrics-spi
+  trustedCABundles:
+    name: openshift-service-ca.crt
+  providers:
+    - name: spi-keycloak-emailnotification-1.0.1.jar
+      url:
+        value: "https://github.com/zene22/keycloak-spi-example/releases/download/V1.0.1/spi-keycloak-emailnotification-1.0.1.jar"

internal/constants/common.go

@@ -0,0 +1,7 @@
+package constants
+
+const (
+	RHBKContainerName        = "rhbk"
+	TrustedCaVolume          = "trusted-ca"
+	TrustedCaVolumeMountPath = "conf/truststores"
+)

internal/controller/keycloak_controller_test.go

@@ -91,7 +91,7 @@ var _ = Describe("Keycloak Controller", func() {
 			Expect(statefulSet.Spec.Template.Spec.InitContainers).To(HaveLen(1))
 			Expect(statefulSet.Spec.Template.Spec.InitContainers[0].Args).To(Equal([]string{
 				"-c",
-				"mkdir -p /opt/keycloak/providers; curl -LJ --show-error --capath /var/run/secrets/kubernetes.io -o /opt/keycloak/providers/keycloak-metrics-spi-6.0.0.jar $(KEYCLOAK_METRICS_SPI_6_0_0_JAR)",
+				"mkdir -p /opt/keycloak/providers; curl -LJ --show-error --capath conf/truststores -o /opt/keycloak/providers/keycloak-metrics-spi-6.0.0.jar $(KEYCLOAK_METRICS_SPI_6_0_0_JAR)",
 			}))
 		})
 

internal/resources/providers_import_init_container.go

@@ -2,6 +2,7 @@ package resources
 
 import (
 	"fmt"
+	"github.com/stakater/rhbk-operator/internal/constants"
 	"regexp"
 	"strings"
 	"unicode"
@@ -18,7 +19,7 @@ func GetInitContainer(cr *v1alpha1.Keycloak) []v1.Container {
 		return nil
 	}
 
-	runArg := fmt.Sprintf("mkdir -p %s; curl -LJ --show-error --capath /var/run/secrets/kubernetes.io", ProvidersPATH)
+	runArg := fmt.Sprintf("mkdir -p %s; curl -LJ --show-error --capath %s", ProvidersPATH, constants.TrustedCaVolumeMountPath)
 	downloadContainer := v1.Container{
 		Name:  "fetch",
 		Image: BusyboxImage,
@@ -34,6 +35,10 @@ func GetInitContainer(cr *v1alpha1.Keycloak) []v1.Container {
 				Name:      "providers",
 				MountPath: ProvidersPATH,
 			},
+			{
+				Name:      constants.TrustedCaVolume,
+				MountPath: constants.TrustedCaVolumeMountPath,
+			},
 		},
 	}