Skip to content

Lifecycle management for ExternalSecrets #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
sabre1041 wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Lifecycle management for ExternalSecrets #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ keywords:
- pattern
name: rhbk
type: application
version: 0.0.10
version: 0.0.11
home: https://github.com/validatedpatterns/rhbk-chart
maintainers:
- name: Validated Patterns Team
Expand Down
787 changes: 394 additions & 393 deletions README.md
View file
Open in desktop

Large diffs are not rendered by default.

16 changes: 16 additions & 0 deletions templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,20 @@ Generate the hostname for the Ingress.
{{- else }}
{{- print .Values.keycloak.ingress.hostname }}
{{- end }}
{{- end }}

{{/*
Generate the lifecycle for the ExternalSecrets resource.
*/}}
{{- define "keycloak.externalSecrets.lifecycle" -}}
creationPolicy: {{ .creationPolicy }}
deletionPolicy: {{ .deletionPolicy }}
{{/* refreshPolicy: {{ .refreshPolicy }} */}}
{{- end }}

{{/*
Generate the refresh interval for the ExternalSecrets resource.
*/}}
{{- define "keycloak.externalSecrets.refreshInterval" -}}
{{ printf "%s" (.refreshInterval | default .globalRefreshInterval) }}
{{- end }}
10 changes: 9 additions & 1 deletion templates/acs-oidc-client-secret-external-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,22 @@ kind: ExternalSecret
metadata:
name: acs-oidc-client-secret
namespace: {{ .Release.Namespace }}
{{- if .Values.externalSecrets.acs.metadata }}
{{- toYaml .Values.externalSecrets.acs.metadata | nindent 2 }}
{{- end }}
spec:
refreshInterval: 15s
refreshInterval: {{ template "keycloak.externalSecrets.refreshInterval" (dict "refreshInterval" .Values.externalSecrets.acs.refreshInterval "globalRefreshInterval" .Values.global.refreshInterval) }}
secretStoreRef:
name: {{ .Values.global.secretStore.name }}
kind: {{ .Values.global.secretStore.kind }}
target:
name: acs-oidc-client-secret
{{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.acs | nindent 4 }}
template:
{{- if .Values.externalSecrets.acs.targetMetadata }}
metadata:
{{- toYaml .Values.externalSecrets.acs.targetMetadata | nindent 8 }}
{{- end }}
type: Opaque
data:
client-secret: "{{ `{{ .client_secret }}` }}"
Expand Down
10 changes: 9 additions & 1 deletion templates/keycloak-admin-user-external-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,22 @@ kind: ExternalSecret
metadata:
name: keycloak-admin-user
namespace: {{ .Release.Namespace }}
{{- if .Values.externalSecrets.adminUser.metadata }}
{{- toYaml .Values.externalSecrets.adminUser.metadata | nindent 2 }}
{{- end }}
spec:
refreshInterval: 15s
refreshInterval: {{ template "keycloak.externalSecrets.refreshInterval" (dict "refreshInterval" .Values.externalSecrets.adminUser.refreshInterval "globalRefreshInterval" .Values.global.refreshInterval) }}
secretStoreRef:
name: {{ .Values.global.secretStore.name }}
kind: {{ .Values.global.secretStore.kind }}
target:
name: {{ .Values.keycloak.adminUser.secretName }}
{{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.adminUser | nindent 4 }}
template:
{{- if .Values.externalSecrets.adminUser.targetMetadata }}
metadata:
{{- toYaml .Values.externalSecrets.adminUser.targetMetadata | nindent 8 }}
{{- end }}
type: Opaque
data:
username: "{{ .Values.keycloak.adminUser.username }}"
Expand Down
20 changes: 6 additions & 14 deletions templates/keycloak-users-external-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,29 +4,21 @@ kind: ExternalSecret
metadata:
name: keycloak-users
namespace: {{ .Release.Namespace }}
{{- if .Values.externalSecrets.oneShot }}
annotations:
argocd.argoproj.io/hook: Sync
argocd.argoproj.io/hook-delete-policy: HookSucceeded
argocd.argoproj.io/sync-options: PrunePropagationPolicy=orphan
{{- if .Values.externalSecrets.keycloakUsers.metadata }}
{{- toYaml .Values.externalSecrets.keycloakUsers.metadata | nindent 2 }}
{{- end }}
spec:
refreshInterval: 15s
refreshInterval: {{ template "keycloak.externalSecrets.refreshInterval" (dict "refreshInterval" .Values.externalSecrets.keycloakUsers.refreshInterval "globalRefreshInterval" .Values.global.refreshInterval) }}
secretStoreRef:
name: {{ .Values.global.secretStore.name }}
kind: {{ .Values.global.secretStore.kind }}
target:
name: keycloak-users
{{- if .Values.externalSecrets.oneShot }}
creationPolicy: Orphan
{{- else }}
creationPolicy: {{ .Values.externalSecrets.creationPolicy }}
{{- end }}
{{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.keycloakUsers | nindent 4 }}
template:
{{- if .Values.externalSecrets.oneShot }}
{{- if .Values.externalSecrets.keycloakUsers.targetMetadata }}
metadata:
labels:
{{ .Values.externalSecrets.secretCleanupLabel }}: delete
{{- toYaml .Values.externalSecrets.keycloakUsers.targetMetadata | nindent 8 }}
{{- end }}
type: Opaque
data:
Expand Down
10 changes: 9 additions & 1 deletion templates/oidc-client-secret-external-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,22 @@ kind: ExternalSecret
metadata:
name: oidc-client-secret
namespace: {{ .Release.Namespace }}
{{- if .Values.externalSecrets.oidcClientSecret.metadata }}
{{- toYaml .Values.externalSecrets.oidcClientSecret.metadata | nindent 2 }}
{{- end }}
spec:
refreshInterval: 15s
refreshInterval: {{ template "keycloak.externalSecrets.refreshInterval" (dict "refreshInterval" .Values.externalSecrets.oidcClientSecret.refreshInterval "globalRefreshInterval" .Values.global.refreshInterval) }}
secretStoreRef:
name: {{ .Values.global.secretStore.name }}
kind: {{ .Values.global.secretStore.kind }}
target:
name: oidc-client-secret
{{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.oidcClientSecret | nindent 4 }}
template:
{{- if .Values.externalSecrets.oidcClientSecret.targetMetadata }}
metadata:
{{- toYaml .Values.externalSecrets.oidcClientSecret.targetMetadata | nindent 8 }}
{{- end }}
type: Opaque
data:
client-secret: "{{ `{{ .client_secret }}` }}"
Expand Down
10 changes: 9 additions & 1 deletion templates/postgresql-db-external-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,22 @@ kind: ExternalSecret
metadata:
name: postgresql-db
namespace: {{ .Release.Namespace }}
{{- if .Values.externalSecrets.postgresqlDb.metadata }}
{{- toYaml .Values.externalSecrets.postgresqlDb.metadata | nindent 2 }}
{{- end }}
spec:
refreshInterval: 15s
refreshInterval: {{ template "keycloak.externalSecrets.refreshInterval" (dict "refreshInterval" .Values.externalSecrets.postgresqlDb.refreshInterval "globalRefreshInterval" .Values.global.refreshInterval) }}
secretStoreRef:
name: {{ .Values.global.secretStore.name }}
kind: {{ .Values.global.secretStore.kind }}
target:
name: {{ .Values.keycloak.postgresqlDb.secretName }}
{{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.postgresqlDb | nindent 4 }}
template:
{{- if .Values.externalSecrets.postgresqlDb.targetMetadata }}
metadata:
{{- toYaml .Values.externalSecrets.postgresqlDb.targetMetadata | nindent 8 }}
{{- end }}
type: Opaque
data:
username: {{ .Values.keycloak.postgresqlDb.username }}
Expand Down
10 changes: 9 additions & 1 deletion templates/rhtpa-oidc-cli-secret-external-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,22 @@ kind: ExternalSecret
metadata:
name: rhtpa-oidc-cli-secret
namespace: {{ .Release.Namespace }}
{{- if .Values.externalSecrets.rhtpa.metadata }}
{{- toYaml .Values.externalSecrets.rhtpa.metadata | nindent 2 }}
{{- end }}
spec:
refreshInterval: 15s
refreshInterval: {{ template "keycloak.externalSecrets.refreshInterval" (dict "refreshInterval" .Values.externalSecrets.rhtpa.refreshInterval "globalRefreshInterval" .Values.global.refreshInterval) }}
secretStoreRef:
name: {{ .Values.global.secretStore.name }}
kind: {{ .Values.global.secretStore.kind }}
target:
name: rhtpa-oidc-cli-secret
{{- include "keycloak.externalSecrets.lifecycle" .Values.externalSecrets.rhtpa | nindent 4 }}
template:
{{- if .Values.externalSecrets.rhtpa.targetMetadata }}
metadata:
{{- toYaml .Values.externalSecrets.rhtpa.targetMetadata | nindent 8 }}
{{- end }}
type: Opaque
data:
client-secret: "{{ `{{ .client_secret | trim }}` }}"
Expand Down
60 changes: 44 additions & 16 deletions values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,26 +1,54 @@
global:
localClusterDomain: apps.example.com
refreshInterval: 1h
secretStore:
kind: ClusterSecretStore
name: vault-backend

# -- One-shot ExternalSecret provisioning for keycloak-users.
# When oneShot is true, the keycloak-users ExternalSecret becomes an
# ArgoCD Sync hook with HookSucceeded and creationPolicy: Orphan.
# Orphan prevents ESO from setting an ownerReference on the Secret,
# so k8s GC will not cascade-delete the Secret when ArgoCD removes
# the ExternalSecret hook after sync.
# A PostSync Job in the wrapper chart (e.g. rh-keycloak in
# layered-zero-trust) then cleans up Secrets labeled
# secretCleanupLabel=delete.
# When oneShot is false (default), keycloak-users is a regular
# ExternalSecret with no hook annotations — the Secret and
# ExternalSecret persist.
# @default -- disabled (regular ExternalSecret, no hooks)
# -- Properties associated with ExternalSecret resources.
externalSecrets:
oneShot: false
creationPolicy: Owner
secretCleanupLabel: "validatedpatterns.io/cleanup"
acs:
creationPolicy: Owner
deletionPolicy: Retain
#refreshPolicy: Periodic
#refreshInterval: 1h
annotations: {}
labels: {}
adminUser:
Copy link
Copy Markdown
Contributor

@minmzzhang minmzzhang May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it keycloak admin user? is it possible to add comments here referencing back to the templates?

creationPolicy: Owner
deletionPolicy: Retain
#refreshPolicy: Periodic
#refreshInterval: 1h
annotations: {}
labels: {}
keycloakUsers:
creationPolicy: Owner
deletionPolicy: Retain
#refreshPolicy: Periodic
#refreshInterval: 1h
annotations: {}
labels: {}
oidcClientSecret:
creationPolicy: Owner
deletionPolicy: Retain
#refreshPolicy: Periodic
#refreshInterval: 1h
annotations: {}
labels: {}
postgresqlDb:
creationPolicy: Owner
deletionPolicy: Retain
#refreshPolicy: Periodic
#refreshInterval: 1h
annotations: {}
labels: {}
rhtpa:
creationPolicy: Owner
deletionPolicy: Retain
#refreshPolicy: Periodic
#refreshInterval: 1h
annotations: {}
labels: {}

# -- Default-deny NetworkPolicy for the keycloak namespace.
# When enabled, deploys a namespace-wide NetworkPolicy that blocks all ingress and egress
Expand Down