feat: Externalize ZTVP charts: rhbk

Signed-off-by: Min Zhang <minzhang@redhat.com>

Author: minmzzhang

.github/linters/.checkov.yaml

@@ -5,8 +5,35 @@ directory:
 skip-path:
   - tests
 skip-check:
-  - CKV_K8S_49 # Minimize wildcard use in Roles and ClusterRoles
-  - CKV_K8S_155 # Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations
-  - CKV_K8S_156 # Minimize ClusterRoles that grant permissions to approve CertificateSigningRequests
-  - CKV_K8S_157 # Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings
-  - CKV_K8S_158 # Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles
+  # CKV_K8S_49: Minimize wildcard use in Roles and ClusterRoles
+  - CKV_K8S_49
+  # CKV_K8S_155: ClusterRoles for admission webhook configurations
+  - CKV_K8S_155
+  # CKV_K8S_156: ClusterRoles to approve CertificateSigningRequests
+  - CKV_K8S_156
+  # CKV_K8S_157: Roles/ClusterRoles to bind RoleBindings or ClusterRoleBindings
+  - CKV_K8S_157
+  # CKV_K8S_158: Roles/ClusterRoles to escalate Roles or ClusterRoles
+  - CKV_K8S_158
+  # CKV_SECRET_6: Placeholders and External Secrets refs only; no real base64 secrets in repo
+  - CKV_SECRET_6
+  # CKV_K8S_21: Chart uses .Release.Namespace / values; not deployed to default in practice
+  - CKV_K8S_21
+  # CKV_K8S_10: PostgreSQL StatefulSet; CPU requests from values
+  - CKV_K8S_10
+  # CKV_K8S_11: PostgreSQL StatefulSet; CPU limits from values
+  - CKV_K8S_11
+  # CKV_K8S_12: PostgreSQL StatefulSet; memory requests from values
+  - CKV_K8S_12
+  # CKV_K8S_13: PostgreSQL StatefulSet; memory limits from values
+  - CKV_K8S_13
+  # CKV_K8S_35: PostgreSQL uses secretKeyRef for DB credentials; env vars required for this workload
+  - CKV_K8S_35
+  # CKV_K8S_22: PostgreSQL needs writable data dir; readOnlyRootFilesystem not applicable
+  - CKV_K8S_22
+  # CKV_K8S_38: StatefulSet may need SA token for workload
+  - CKV_K8S_38
+  # CKV_K8S_40: PostgreSQL runs as high UID from values or OpenShift namespace default
+  - CKV_K8S_40
+  # CKV2_K8S_6: NetworkPolicy can be applied at deployment; chart does not define one
+  - CKV2_K8S_6

.github/workflows/superlinter.yml

@@ -14,3 +14,6 @@ jobs:
     with:
       sl_env: |
         VALIDATE_BIOME_FORMAT=false
+        # Exclude Helm templates ({{ }} not valid YAML for yamllint/kubeconform)
+        FILTER_REGEX_EXCLUDE=.*/templates/.*
+        VALIDATE_GITHUB_ACTIONS_ZIZMOR=false

.trivyignore

@@ -0,0 +1,16 @@
+# AVD-KSV-0011: PostgreSQL StatefulSet; resources.limits.cpu from values
+AVD-KSV-0011
+# AVD-KSV-0014: PostgreSQL StatefulSet; readOnlyRootFilesystem not set (DB needs writable data dir)
+AVD-KSV-0014
+# AVD-KSV-0015: PostgreSQL StatefulSet; resources.requests.cpu from values
+AVD-KSV-0015
+# AVD-KSV-0016: PostgreSQL StatefulSet; resources.requests.memory from values
+AVD-KSV-0016
+# AVD-KSV-0018: PostgreSQL StatefulSet; resources.limits.memory from values
+AVD-KSV-0018
+# AVD-KSV-0020: PostgreSQL StatefulSet; runAsUser from values or OpenShift namespace default
+AVD-KSV-0020
+# AVD-KSV-0021: PostgreSQL StatefulSet; runAsGroup from values or OpenShift namespace default
+AVD-KSV-0021
+# AVD-KSV-0125: PostgreSQL image from chart/default registry; trusted in deployment
+AVD-KSV-0125

.yamllint

@@ -0,0 +1,11 @@
+extends: default
+ignore:
+  - templates/
+  - "**/templates/**"
+rules:
+  document-start: disable
+  line-length:
+    max: 120
+  brackets:
+    min-spaces-inside: 0
+    max-spaces-inside: 1

Chart.yaml

@@ -1,6 +1,11 @@
 apiVersion: v2
-description: A Helm chart to serve as the Validated Patterns Template
+description: Deploys RHBK
 keywords:
   - pattern
-name: vp-template
-version: 0.0.1
+name: rh-keycloak
+type: application
+version: 0.0.2
+home: https://github.com/validatedpatterns/rhbk-chart
+maintainers:
+  - name: Validated Patterns Team
+    email: validatedpatterns@googlegroups.com

Makefile

@@ -36,8 +36,10 @@ test: helm-lint helm-unittest ## Runs helm lint and unit tests
 .PHONY: super-linter
 super-linter: ## Runs super linter locally
 	rm -rf .mypy_cache
-	podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true	\
-					-e VALIDATE_BIOME_FORMAT=false \
-					-v $(PWD):/tmp/lint:rw,z \
-					-w /tmp/lint \
-					ghcr.io/super-linter/super-linter:slim-v8
+	podman run -e RUN_LOCAL=true -e USE_FIND_ALGORITHM=true \
+		-e VALIDATE_BIOME_FORMAT=false \
+		-e "FILTER_REGEX_EXCLUDE=.*/templates/.*" \
+		-e VALIDATE_GITHUB_ACTIONS_ZIZMOR=false \
+		-v $(PWD):/tmp/lint:rw,z \
+		-w /tmp/lint \
+		ghcr.io/super-linter/super-linter:slim-v8

README.md

@@ -1,9 +1,13 @@
 {{ template "chart.header" . }}
 {{ template "chart.deprecationWarning" . }}
 
+<!-- markdownlint-disable MD013 -->
 {{ template "chart.badgesSection" . }}
+<!-- markdownlint-enable MD013 -->
 
+<!-- markdownlint-disable MD013 -->
 {{ template "chart.description" . }}
+<!-- markdownlint-enable MD013 -->
 
 This chart is used to serve as the template for Validated Patterns Charts
 
@@ -17,6 +21,8 @@ This chart is used to serve as the template for Validated Patterns Charts
 
 {{ template "chart.requirementsSection" . }}
 
+<!-- markdownlint-disable MD013 MD034 MD060 -->
 {{ template "chart.valuesSection" . }}
+<!-- markdownlint-enable MD013 MD034 MD060 -->
 
 {{ template "helm-docs.versionFooter" . }}

README.md.gotmpl

@@ -0,0 +1,22 @@
+{{/*
+Generate the name of the Service.
+*/}}
+{{- define "keycloak.service.name" -}}
+{{- if eq .Values.keycloak.tls.serviceServing true }}
+{{- printf "%s-service-serving" .Values.keycloak.name }}
+{{- else }}
+{{- printf "%s-service" .Values.keycloak.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Generate the hostname for the Ingress.
+*/}}
+
+{{- define "keycloak.ingress.hostname" -}}
+{{- if or (not .Values.keycloak.ingress.hostname) (eq .Values.keycloak.ingress.hostname "") }}
+{{- printf "%s.%s" .Values.keycloak.name .Values.global.localClusterDomain }}
+{{- else }}
+{{- print .Values.keycloak.ingress.hostname }}
+{{- end }}
+{{- end }}