Horreum realm import for keycloak and improved app init script #21
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Can you squash these commits ? |
barreiro
reviewed
Sep 6, 2023
dustinblack
force-pushed
the
keycloak-init-test
branch
from
1caa8ed
to
d915dc0
Compare
|
I use |
I still have some work to do, and then I will clean things up before opening this PR. |
dustinblack
force-pushed
the
keycloak-init-test
branch
4 times, most recently
from
2a0cb00
to
c2a8bbf
Compare
barreiro
reviewed
Sep 6, 2023
controllers/keycloak.go
Outdated
|
|
||
| return &corev1.ConfigMap{ | ||
| ObjectMeta: metav1.ObjectMeta{ | ||
| Name: cr.Name + "-keycloak-horreum", |
There was a problem hiding this comment.
I find this name non-descriptive / confusing. I suggest cr.Name + "-keycloak-horreum-realm"
dustinblack
force-pushed
the
keycloak-init-test
branch
from
c2a8bbf
to
63d886a
Compare
|
Remember to squash |
dustinblack
force-pushed
the
keycloak-init-test
branch
from
864cdc8
to
1b24657
Compare
remove unnecessary env keycloak init and realm import app init container into a loop import realm file from url rename configmaps and volumes for horreum realms for better clarity add sa, cr, and crb to app spec tweaking and testing rbac
dustinblack
force-pushed
the
keycloak-init-test
branch
from
df6557e
to
b8e5fef
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes included
Fixes still needed
To finalize these changes, we still need to correct a problem related to CA certificates with the app. PR #17 from @barreiro includes the basic changes, which are reported to work correctly with vanilla k8s. However, with OpenShift, the
keytoolcommand run in the app startup to add the CA cert fails because there is no write access to the root filesystem.Correcting this involves running the pod, or at least the init container, with a ServiceAccount that has been granted the
anyuidprivileges in its ClusterRole. Since the ClusterRole and the ClusterRole binding are cluster-level resources, they cannot be created by the operator itself, so these need to be included when deploying the operator in order to make the privilege available to the ServiceAccount that can then be assigned to the container.