feat: add rh-keycloak wrapper chart with PostSync cleanup for one-shot ExternalSecrets#137
Open
minmzzhang wants to merge 1 commit into
Open
feat: add rh-keycloak wrapper chart with PostSync cleanup for one-shot ExternalSecrets#137minmzzhang wants to merge 1 commit into
minmzzhang wants to merge 1 commit into
Conversation
Add a wrapper chart (charts/rh-keycloak) that consumes the rhbk chart as a dependency and adds a PostSync cleanup job for one-shot ExternalSecret provisioning. The PostSync job: 1. Waits for labeled ExternalSecrets to sync 2. Deletes them with --cascade=orphan (Secrets survive) 3. Cleans up ephemeral Secrets labeled for deletion (keycloak-users) Switch values-hub.yaml from the remote rhbk chart to the local rh-keycloak wrapper chart path. Requires rhbk-chart >= 0.0.9 with externalSecrets.oneShot support. Commented-out overrides updated with rhbk. prefix to match the wrapper chart structure. Signed-off-by: Min Zhang <minzhang@redhat.com>
minmzzhang
requested review from
mlorenzofr,
p-rog and
sabre1041
and removed request for
sabre1041
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
charts/rh-keycloak) that consumes therhbkchart as a dependency and adds a PostSync cleanup job for one-shot ExternalSecret provisioningvalues-hub.yamlfrom the remoterhbkchart to the localrh-keycloakwrapper chart pathrhbk.prefix to match the wrapper chart structureHow it works
When
externalSecrets.oneShotis enabled (set by the wrapper chart), thekeycloak-usersExternalSecret usesBeforeHookCreationand setsdeletionPolicy: Retain. The PostSync job then:--cascade=orphan(Secrets survive because Kubernetes GC is told to orphan dependents)ztvp.io/cleanup=delete(thekeycloak-usersSecret)This prevents ESO from continuously overwriting the
keycloak-usersSecret after Keycloak has consumed it during realm import.Dependencies
rhbk >= 0.0.9withexternalSecrets.oneShotsupport. That PR must be merged and published before this one can be deployed.