Skip to content

feat: add rh-keycloak wrapper chart with PostSync cleanup for one-shot ExternalSecrets #137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
minmzzhang wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: add rh-keycloak wrapper chart with PostSync cleanup for one-shot ExternalSecrets #137

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2d728b4
feat: add rh-keycloak wrapper chart with PostSync cleanup
minmzzhang May 21, 2026
48e6d90
fix: rename cleanup label to validatedpatterns.io/cleanup
minmzzhang May 25, 2026
59c2a68
refactor: simplify cleanup Job to only delete Secrets
minmzzhang May 26, 2026
0859799
fix: add NetworkPolicy for cleanup Job pod
minmzzhang May 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions charts/rh-keycloak/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: v2
name: rh-keycloak
description: ZTVP Keycloak deployment — wraps the rhbk chart and adds PostSync cleanup for one-shot ExternalSecrets
type: application
version: 0.1.0
dependencies:
- name: rhbk
version: ">=0.0.10"
repository: "oci://quay.io/validatedpatterns"
maintainers:
- name: Zero Trust Validated Patterns Team
email: ztvp-arch-group@redhat.com
keywords:
- keycloak
- rhbk
- zero-trust
- pattern
79 changes: 79 additions & 0 deletions charts/rh-keycloak/templates/cleanup-externalsecrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
{{- if .Values.cleanup.enabled }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cleanup-ephemeral-secrets
namespace: {{ .Release.Namespace }}
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cleanup-ephemeral-secrets
namespace: {{ .Release.Namespace }}
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cleanup-ephemeral-secrets
namespace: {{ .Release.Namespace }}
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cleanup-ephemeral-secrets
subjects:
- kind: ServiceAccount
name: cleanup-ephemeral-secrets
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: cleanup-ephemeral-secrets
namespace: {{ .Release.Namespace }}
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
spec:
backoffLimit: 2
activeDeadlineSeconds: {{ .Values.cleanup.activeDeadlineSeconds }}
template:
metadata:
labels:
app: cleanup-ephemeral-secrets
spec:
serviceAccountName: cleanup-ephemeral-secrets
restartPolicy: Never
containers:
- name: cleanup
image: {{ .Values.cleanup.image }}
command:
- /bin/bash
- -ce
- |
LABEL="{{ .Values.cleanup.label }}"
NS="{{ .Release.Namespace }}"

SEC_COUNT=$(oc get secret -l "${LABEL}=delete" -n "${NS}" --no-headers 2>/dev/null | wc -l)
if [ "${SEC_COUNT}" -eq 0 ]; then
echo "No ephemeral Secrets to clean up."
else
echo "Deleting ${SEC_COUNT} ephemeral Secret(s)..."
oc delete secret -l "${LABEL}=delete" -n "${NS}" --ignore-not-found
fi

echo "Cleanup complete."
{{- end }}
31 changes: 31 additions & 0 deletions charts/rh-keycloak/templates/cleanup-network-policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
{{- if and .Values.cleanup.enabled (eq (.Values.rhbk.defaultDenyNetworkPolicy.enabled | toString) "true") }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cleanup-ephemeral-secrets-network-policy
namespace: {{ .Release.Namespace }}
annotations:
argocd.argoproj.io/hook: PostSync
argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
spec:
podSelector:
matchLabels:
app: cleanup-ephemeral-secrets
policyTypes:
- Egress
egress:
# DNS resolution via CoreDNS
- ports:
- protocol: UDP
port: 5353
- protocol: TCP
port: 5353
to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: openshift-dns
# Kubernetes API server — oc get/delete secret
- ports:
- protocol: TCP
port: 6443
{{- end }}
15 changes: 15 additions & 0 deletions charts/rh-keycloak/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# PostSync cleanup for ephemeral Secrets.
# When enabled, a PostSync Job deletes Secrets labeled for cleanup
# (e.g. keycloak-users) after the realm import completes.
# The ExternalSecret itself is removed by ArgoCD's HookSucceeded policy.
cleanup:
enabled: true
image: registry.redhat.io/openshift4/ose-cli-rhel9:latest
label: "validatedpatterns.io/cleanup"
activeDeadlineSeconds: 120

# Values passed through to the rhbk subchart.
rhbk:
externalSecrets:
oneShot: true
secretCleanupLabel: "validatedpatterns.io/cleanup"
Loading
Loading