feat: Externalize ZTVP charts: rhbk

Signed-off-by: Min Zhang <minzhang@redhat.com>

Author: minmzzhang

.github/linters/.checkov.yaml

@@ -5,8 +5,15 @@ directory:
 skip-path:
   - tests
 skip-check:
-  - CKV_K8S_49 # Minimize wildcard use in Roles and ClusterRoles
-  - CKV_K8S_155 # Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations
-  - CKV_K8S_156 # Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests
-  - CKV_K8S_157 # Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings
-  - CKV_K8S_158 # Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles
+  # CKV_K8S_49: Minimize wildcard use in Roles and ClusterRoles
+  - CKV_K8S_49
+  # CKV_K8S_155: ClusterRoles for admission webhook configurations
+  - CKV_K8S_155
+  # CKV_K8S_156: ClusterRoles to approve CertificateSigningRequests
+  - CKV_K8S_156
+  # CKV_K8S_157: Roles/ClusterRoles to bind RoleBindings or ClusterRoleBindings
+  - CKV_K8S_157
+  # CKV_K8S_158: Roles/ClusterRoles to escalate Roles or ClusterRoles
+  - CKV_K8S_158
+  # CKV_SECRET_6: Placeholders and External Secrets refs only; no real base64 secrets in repo
+  - CKV_SECRET_6

.github/workflows/superlinter.yml

@@ -14,3 +14,6 @@ jobs:
     with:
       sl_env: |
         VALIDATE_BIOME_FORMAT=false
+        # Exclude Helm templates ({{ }} not valid YAML for yamllint/kubeconform)
+        FILTER_REGEX_EXCLUDE=.*/templates/.*
+        VALIDATE_GITHUB_ACTIONS_ZIZMOR=false

.trivyignore

@@ -0,0 +1,16 @@
+# AVD-KSV-0011: PostgreSQL StatefulSet; resources.limits.cpu from values
+AVD-KSV-0011
+# AVD-KSV-0014: PostgreSQL StatefulSet; readOnlyRootFilesystem not set (DB needs writable data dir)
+AVD-KSV-0014
+# AVD-KSV-0015: PostgreSQL StatefulSet; resources.requests.cpu from values
+AVD-KSV-0015
+# AVD-KSV-0016: PostgreSQL StatefulSet; resources.requests.memory from values
+AVD-KSV-0016
+# AVD-KSV-0018: PostgreSQL StatefulSet; resources.limits.memory from values
+AVD-KSV-0018
+# AVD-KSV-0020: PostgreSQL StatefulSet; runAsUser from values or OpenShift namespace default
+AVD-KSV-0020
+# AVD-KSV-0021: PostgreSQL StatefulSet; runAsGroup from values or OpenShift namespace default
+AVD-KSV-0021
+# AVD-KSV-0125: PostgreSQL image from chart/default registry; trusted in deployment
+AVD-KSV-0125

.yamllint

@@ -0,0 +1,11 @@
+extends: default
+ignore:
+  - templates/
+  - "**/templates/**"
+rules:
+  document-start: disable
+  line-length:
+    max: 120
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 1

Chart.yaml

@@ -1,6 +1,11 @@
 apiVersion: v2
-description: A Helm chart to serve as the Validated Patterns Template
+description: Deploys RHBK
 keywords:
   - pattern
-name: vp-template
-version: 0.0.1
+name: rh-keycloak
+type: application
+version: 0.0.2
+home: https://github.com/validatedpatterns/rhbk-chart
+maintainers:
+  - name: Validated Patterns Team
+    email: validatedpatterns@googlegroups.com

Makefile

@@ -36,8 +36,10 @@ test: helm-lint helm-unittest ## Runs helm lint and unit tests
 .PHONY: super-linter
 super-linter: ## Runs super linter locally
 	rm -rf .mypy_cache
-	podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true	\
-					-e VALIDATE_BIOME_FORMAT=false \
-					-v $(PWD):/tmp/lint:rw,z \
-					-w /tmp/lint \
-					ghcr.io/super-linter/super-linter:slim-v8
+	podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true \
+		-e VALIDATE_BIOME_FORMAT=false \
+		-e "FILTER_REGEX_EXCLUDE=.*/templates/.*" \
+		-e VALIDATE_GITHUB_ACTIONS_ZIZMOR=false \
+		-v $(PWD):/tmp/lint:rw,z \
+		-w /tmp/lint \
+		ghcr.io/super-linter/super-linter:slim-v8

templates/.keep

@@ -0,0 +1,22 @@
+{{/*
+Generate the name of the Service.
+*/}}
+{{- define "keycloak.service.name" -}}
+{{- if eq .Values.keycloak.tls.serviceServing true }}
+{{- printf "%s-service-serving" .Values.keycloak.name }}
+{{- else }}
+{{- printf "%s-service" .Values.keycloak.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Generate the hostname for the Ingress.
+*/}}
+
+{{- define "keycloak.ingress.hostname" -}}
+{{- if or (not .Values.keycloak.ingress.hostname) (eq .Values.keycloak.ingress.hostname "") }}
+{{- printf "%s.%s" .Values.keycloak.name .Values.global.localClusterDomain }}
+{{- else }}
+{{- print .Values.keycloak.ingress.hostname }}
+{{- end }}
+{{- end }}

templates/_helpers.tpl

@@ -0,0 +1,24 @@
+{{- if eq .Values.keycloak.adminUser.enabled true }}
+apiVersion: "external-secrets.io/v1beta1"
+kind: ExternalSecret
+metadata:
+  name: keycloak-admin-user
+  namespace: {{ .Release.Namespace }}
+spec:
+  refreshInterval: 15s
+  secretStoreRef:
+    name: {{ .Values.global.secretStore.name }}
+    kind: {{ .Values.global.secretStore.kind }}
+  target:
+    name: {{ .Values.keycloak.adminUser.secretName }}
+    template:
+      type: Opaque
+      data:
+        username: "{{ .Values.keycloak.adminUser.username }}"
+        password: "{{ `{{ .admin_password }}` }}"
+  data:
+  - secretKey: admin_password
+    remoteRef:
+      key: {{ .Values.keycloak.adminUser.passwordVaultKey }}
+      property: admin-password
+{{- end }}

templates/keycloak-admin-user-external-secret.yaml

@@ -0,0 +1,29 @@
+{{- if eq .Values.keycloak.ingress.enabled true }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    route.openshift.io/termination: {{ .Values.keycloak.ingress.termination }}
+    route.openshift.io/destination-ca-certificate-secret: {{ .Values.keycloak.tls.secret | quote }}
+  labels:
+    app: {{ .Values.keycloak.name }}
+    app.kubernetes.io/instance: {{ .Values.keycloak.name }}
+  name: {{ .Values.keycloak.name }}-ingress
+  namespace: {{ .Release.Namespace }}
+spec:
+  defaultBackend:
+    service:
+      name: {{ include "keycloak.service.name" . }}
+      port:
+        number: 8443
+  rules:
+  - host: {{ include "keycloak.ingress.hostname" . }}
+    http:
+      paths:
+      - backend:
+          service:
+            name: {{ include "keycloak.service.name" . }}
+            port:
+              number: 8443
+        pathType: ImplementationSpecific
+{{- end }}