[stable/keycloak] Update to 4.5.0.Final (helm#8192)

* The Docker image has added support for DNS_PING which is now used
  instead of JDBC_PING
* The StatefulSet is updated to `apps/v1`

Signed-off-by: Reinhard Nägele <unguiculus@gmail.com>

stable/keycloak/Chart.yaml

@@ -1,6 +1,6 @@
 name: keycloak
-version: 3.4.2
-appVersion: 4.2.1.Final
+version: 4.0.0
+appVersion: 4.5.0.Final
 description: Open Source Identity and Access Management For Modern Applications and Services
 keywords:
   - sso

stable/keycloak/README.md

@@ -41,11 +41,12 @@ The following table lists the configurable parameters of the Keycloak chart and
 Parameter | Description | Default
 --- | --- | ---
 `init.image.repository` | Init image repository | `alpine`
-`init.image.tag` | Init image tag | `3.7`
+`init.image.tag` | Init image tag | `3.8`
 `init.image.pullPolicy` | Init image pull policy | `IfNotPresent`
+`clusterDomain` | The internal Kubernetes cluster domain | `cluster.local`
 `keycloak.replicas` | The number of Keycloak replicas | `1`
 `keycloak.image.repository` | The Keycloak image repository | `jboss/keycloak`
-`keycloak.image.tag` | The Keycloak image tag | `4.2.1.Final`
+`keycloak.image.tag` | The Keycloak image tag | `4.5.0.Final`
 `keycloak.image.pullPolicy` | The Keycloak image pull policy | `IfNotPresent`
 `keycloak.image.pullSecrets` | Image pull secrets | `[]`
 `keycloak.basepath` | Path keycloak is hosted at | `auth`
@@ -72,7 +73,7 @@ Parameter | Description | Default
 `keycloak.cli.nodeIdentifier` | WildFly CLI script for setting the node identifier | See `values.yaml`
 `keycloak.cli.logging` | WildFly CLI script for logging configuration | See `values.yaml`
 `keycloak.cli.reverseProxy` | WildFly CLI script for reverse proxy configuration | See `values.yaml`
-`keycloak.cli.discovery` | WildFly CLI script for cluster discovery | See `values.yaml`
+`keycloak.cli.ha` | Settings for HA setups | See `values.yaml`
 `keycloak.cli.custom` | Additional custom WildFly CLI script | `""`
 `keycloak.service.annotations` | Annotations for the Keycloak service | `{}`
 `keycloak.service.labels` | Additional labels for the Keycloak service | `{}`
@@ -166,7 +167,7 @@ See also:
 
 ```yaml
 keycloak:
-  extraEnv:
+  extraEnv: |
     - name: KEYCLOAK_LOGLEVEL
       value: DEBUG
     - name: WILDFLY_LOGLEVEL
@@ -294,7 +295,7 @@ Everything is in `values.yaml` and can be overridden. Additional CLI commands ma
 
 For high availability, Keycloak should be run with multiple replicas (`keycloak.replicas > 1`).
 WildFly uses Infinispan for caching. These caches can be replicated across all instances forming a cluster.
-If `keycloak.replicas > 1`, the WildFly CLI script `keycloak.cli.discovery` adds JGroups' [JDBC_PING](http://www.jgroups.org/javadoc/org/jgroups/protocols/JDBC_PING.html) for cluster discovery and Keycloak is started with `--server-config standalone-ha.xml`.
+If `keycloak.replicas > 1`, JGroups' DNS_PING is configured for cluster discovery and Keycloak is started with `--server-config standalone-ha.xml`.
 
 ## Why StatefulSet?
 
@@ -304,3 +305,4 @@ This can be problematic because pod names are quite long.
 We would have to truncate the chart's fullname to six characters because pods get a 17-character suffix (e. g. `-697f8b7655-mf5ht`).
 Using a StatefulSet allows us to truncate to 20 characters leaving room for up to 99 replicas, which is much better.
 Additionally, we get stable values for `jboss.node.name` which can be advantageous for cluster discovery.
+The headless service that governs the StatefulSet is used for DNS discovery.

stable/keycloak/templates/configmap.yaml

@@ -21,11 +21,12 @@ data:
 {{ . | indent 4 }}
   {{- end }}
 
-    exec /opt/jboss/docker-entrypoint.sh -b 0.0.0.0 {{ .Values.keycloak.extraArgs }}{{- if $highAvailability }} --server-config standalone-ha.xml{{ end }}
+    exec /opt/jboss/tools/docker-entrypoint.sh -b 0.0.0.0 {{ .Values.keycloak.extraArgs }}{{- if $highAvailability }} -c standalone-ha.xml{{ end }}
     exit "$?"
 
   keycloak.cli: |
     embed-server {{- if $highAvailability }} --server-config=standalone-ha.xml{{ end }} --std-out=echo
+    batch
 
 {{- if ne .Values.keycloak.basepath "auth" }}
     # Changes the base path to be /keycloak.basepath instead of /auth
@@ -44,11 +45,7 @@ data:
 {{ .reverseProxy | indent 4 }}
 
 {{- if $highAvailability }}
-{{ .discovery | indent 4 }}
-{{- end }}
-
-{{- if and $highAvailability (eq $.Values.keycloak.persistence.dbVendor "postgres") }}
-{{ .postgresql | indent 4 }}
+{{ .ha | indent 4 }}
 {{- end }}
 
 {{- with .custom }}
@@ -57,4 +54,5 @@ data:
 
 {{- end }}
 
+    run-batch
     stop-embedded-server

stable/keycloak/templates/statefulset.yaml

@@ -1,15 +1,20 @@
-apiVersion: apps/v1beta1
+{{- $highAvailability := gt (int .Values.keycloak.replicas) 1 -}}
+apiVersion: apps/v1
 kind: StatefulSet
 metadata:
   name: {{ template "keycloak.fullname" . }}
   annotations:
-    checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+    checksum/config: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
   labels:
     app: {{ template "keycloak.name" . }}
     chart: {{ template "keycloak.chart" . }}
     release: "{{ .Release.Name }}"
     heritage: "{{ .Release.Service }}"
 spec:
+  selector:
+    matchLabels:
+      app: {{ template "keycloak.name" . }}
+      release: "{{ .Release.Name }}"
   replicas: {{ .Values.keycloak.replicas }}
   serviceName: {{ template "keycloak.fullname" . }}-headless
   podManagementPolicy: Parallel
@@ -67,6 +72,12 @@ spec:
                   name: {{ template "keycloak.fullname" . }}-http
                   key: password
           {{- end }}
+          {{- if $highAvailability }}
+            - name: JGROUPS_DISCOVERY_PROTOCOL
+              value: "dns.DNS_PING"
+            - name: JGROUPS_DISCOVERY_PROPERTIES
+              value: "dns_query={{ template "keycloak.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
+          {{- end }}
 {{ include "keycloak.dbEnvVars" . | indent 12 }}
 {{- with .Values.keycloak.extraEnv }}
 {{ tpl . $ | indent 12 }}

stable/keycloak/templates/test/test-pod.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: {{ template "keycloak.fullname" . }}-test
+  name: "{{ template "keycloak.fullname" . }}-test-{{ randAlphaNum 5 | lower }}"
   labels:
     app: {{ template "keycloak.name" . }}
     chart: {{ template "keycloak.chart" . }}

stable/keycloak/values.yaml

@@ -1,15 +1,17 @@
 init:
   image:
     repository: alpine
-    tag: 3.7
+    tag: 3.8
     pullPolicy: IfNotPresent
 
+clusterDomain: cluster.local
+
 keycloak:
   replicas: 1
 
   image:
     repository: jboss/keycloak
-    tag: 4.2.1.Final
+    tag: 4.5.0.Final
     pullPolicy: IfNotPresent
 
     ## Optionally specify an array of imagePullSecrets.
@@ -125,43 +127,12 @@ keycloak:
       /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=redirect-socket, value=proxy-https)
       /subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding, value=true)
 
-    discovery: |
+    ha: |
       /subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2})
       /subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2})
       /subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners, value=${env.CACHE_OWNERS:2})
       /subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners, value=${env.CACHE_OWNERS:2})
 
-      /subsystem=jgroups/stack=tcp:remove()
-      /subsystem=jgroups/stack=tcp:add()
-      /subsystem=jgroups/stack=tcp/transport=TCP:add(socket-binding="jgroups-tcp")
-      /subsystem=jgroups/stack=tcp/protocol=JDBC_PING:add()
-      /subsystem=jgroups/stack=tcp/protocol=JDBC_PING/property=datasource_jndi_name:add(value=java:jboss/datasources/KeycloakDS)
-      /subsystem=jgroups/stack=tcp/protocol=JDBC_PING/property=clear_table_on_view_change:add(value=true)
-      /subsystem=jgroups/stack=tcp/protocol=JDBC_PING/property=break_on_coord_rsp:add(value=true)
-
-      /subsystem=jgroups/stack=tcp/protocol=MERGE3:add()
-      /subsystem=jgroups/stack=tcp/protocol=FD_SOCK:add(socket-binding="jgroups-tcp-fd")
-      /subsystem=jgroups/stack=tcp/protocol=FD:add()
-      /subsystem=jgroups/stack=tcp/protocol=VERIFY_SUSPECT:add()
-      /subsystem=jgroups/stack=tcp/protocol=pbcast.NAKACK2:add()
-      /subsystem=jgroups/stack=tcp/protocol=UNICAST3:add()
-      /subsystem=jgroups/stack=tcp/protocol=pbcast.STABLE:add()
-      /subsystem=jgroups/stack=tcp/protocol=pbcast.GMS:add()
-      /subsystem=jgroups/stack=tcp/protocol=pbcast.GMS/property=max_join_attempts:add(value=5)
-      /subsystem=jgroups/stack=tcp/protocol=MFC:add()
-      /subsystem=jgroups/stack=tcp/protocol=FRAG2:add()
-
-      /subsystem=jgroups/channel=ee:write-attribute(name=stack, value=tcp)
-      /subsystem=jgroups/stack=udp:remove()
-      /socket-binding-group=standard-sockets/socket-binding=jgroups-mping:remove()
-      /interface=private:write-attribute(name=nic, value=eth0)
-      /interface=private:undefine-attribute(name=inet-address)
-
-    postgresql: |
-      # Statements must be adapted for PostgreSQL. Additionally, we add a 'creation_timestamp' column.
-      /subsystem=jgroups/stack=tcp/protocol=JDBC_PING/property=initialize_sql:add(value="CREATE TABLE IF NOT EXISTS JGROUPSPING (own_addr varchar(200) NOT NULL, creation_timestamp timestamp NOT NULL, cluster_name varchar(200) NOT NULL, ping_data bytea, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))")
-      /subsystem=jgroups/stack=tcp/protocol=JDBC_PING/property=insert_single_sql:add(value="INSERT INTO JGROUPSPING (own_addr, creation_timestamp, cluster_name, ping_data) values (?, NOW(), ?, ?)")
-
     # Custom CLI script
     custom: ""