Add Keycloak SLI Prober

component/class/defaults.yml

@@ -45,7 +45,7 @@ parameters:
       appcat:
         registry: ghcr.io
         repository: vshn/appcat
-        tag: v4.62.1
+        tag: fix/netpol
       apiserver:
         registry: ghcr.io
         repository: vshn/appcat-apiserver

component/component/appcat_sli_exporter.jsonnet

@@ -38,6 +38,10 @@ local deployment_patch = kube._Object('apps/v1', 'Deployment', 'controller-manag
                 name: 'APPCAT_SLI_VSHNMINIO',
                 value: std.manifestJson(params.services.vshn.enabled && params.services.vshn.minio.enabled),
               },
+              {
+                name: 'APPCAT_SLI_VSHNKEYCLOAK',
+                value: std.manifestJson(params.services.vshn.enabled && params.services.vshn.keycloak.enabled),
+              },
             ],
           },
         ],

component/component/vshn_appcat_services.jsonnet

@@ -46,7 +46,7 @@ local vshn_appcat_service(name, serviceParams) =
 
   local restoreClusterRoleBinding = kube.ClusterRoleBinding('appcat:job:' + name + ':restorejob') + {
     roleRef_: restoreRole,
-    subjects_: [ restoreServiceAccount ],
+    subjects_: [restoreServiceAccount],
   };
 
   local xrd = xrds.XRDFromCRD(
@@ -91,6 +91,7 @@ local vshn_appcat_service(name, serviceParams) =
                         restoreSA: serviceParams.restoreSA,
                         quotasEnabled: std.toString(params.services.vshn.quotasEnabled),
                         isOpenshift: std.toString(isOpenshift),
+                        sliNamespace: params.slos.namespace,
                       }
                       + std.get(serviceParams, 'additionalInputs', default={}, inc_hidden=true)
                       + if serviceParams.proxyFunction then {
@@ -163,7 +164,7 @@ local vshn_appcat_service(name, serviceParams) =
     ['20_xrd_vshn_%s' % name]: xrd,
     ['20_rbac_vshn_%s' % name]: xrds.CompositeClusterRoles(xrd),
     ['21_composition_vshn_%s' % name]: composition,
-    ['20_role_vshn_%s_restore' % name]: [ restoreRole, restoreServiceAccount, restoreClusterRoleBinding ],
+    ['20_role_vshn_%s_restore' % name]: [restoreRole, restoreServiceAccount, restoreClusterRoleBinding],
     ['20_plans_vshn_%s' % name]: plansCM,
     ['22_prom_rule_sla_%s' % name]: promRuleSLA,
     [if isOpenshift then '21_openshift_template_%s_vshn' % name]: osTemplate,

component/tests/golden/vshn/appcat/appcat/10_function_appcat.yaml

@@ -3,6 +3,6 @@ kind: Function
 metadata:
   name: function-appcat
 spec:
-  package: ghcr.io/vshn/appcat:v4.62.1-func
+  package: ghcr.io/vshn/appcat:fix_netpol-func
   runtimeConfigRef:
     name: function-appcat

component/tests/golden/vshn/appcat/appcat/20_xrd_vshn_keycloak.yaml

@@ -66,6 +66,14 @@ spec:
                             (\*|([1-9]|1[0-2])|\*\/([1-9]|1[0-2])) (\*|([0-6])|\*\/([0-6]))$
                           type: string
                       type: object
+                    instances:
+                      default: 1
+                      description: |-
+                        Instances configures the number of Keycloak instances for the cluster.
+                        Each instance contains one Keycloak server.
+                      maximum: 3
+                      minimum: 1
+                      type: integer
                     maintenance:
                       description: Maintenance contains settings to control the maintenance
                         of an instance.

component/tests/golden/vshn/appcat/appcat/21_composition_vshn_keycloak.yaml

@@ -31,7 +31,7 @@ spec:
           chartRepository: https://codecentric.github.io/helm-charts
           chartVersion: 2.3.0
           controlNamespace: syn-appcat-control
-          imageTag: v4.62.1
+          imageTag: fix_netpol
           ingress_annotations: |
             nginx.ingress.kubernetes.io/backend-protocol: HTTPS
             cert-manager.io/cluster-issuer: letsencrypt-staging
@@ -46,6 +46,7 @@ spec:
           registry_username: ''
           restoreSA: mariadbrestoreserviceaccount
           serviceName: keycloak
+          sliNamespace: appcat-slos
         kind: ConfigMap
         metadata:
           labels:

component/tests/golden/vshn/appcat/appcat/21_composition_vshn_mariadb.yaml

@@ -31,7 +31,7 @@ spec:
           chartRepository: https://charts.bitnami.com/bitnami
           chartVersion: 11.6.2
           controlNamespace: syn-appcat-control
-          imageTag: v4.62.1
+          imageTag: fix_netpol
           isOpenshift: 'false'
           maintenanceSA: helm-based-service-maintenance
           plans: '{"standard-1": {"size": {"cpu": "250m", "disk": "16Gi", "enabled":
@@ -44,6 +44,7 @@ spec:
           quotasEnabled: 'false'
           restoreSA: mariadbrestoreserviceaccount
           serviceName: mariadb
+          sliNamespace: appcat-slos
         kind: ConfigMap
         metadata:
           labels:

component/tests/golden/vshn/appcat/appcat/21_composition_vshn_postgres.yaml

@@ -708,7 +708,7 @@ spec:
           emailAlertingSmtpHost: smtp.eu.mailgun.org:465
           emailAlertingSmtpUsername: [email protected]
           externalDatabaseConnectionsEnabled: 'true'
-          imageTag: v4.62.1
+          imageTag: fix_netpol
           quotasEnabled: 'false'
           serviceName: postgresql
           sgNamespace: stackgres

component/tests/golden/vshn/appcat/appcat/21_composition_vshn_postgresrestore.yaml

@@ -810,7 +810,7 @@ spec:
           emailAlertingSmtpHost: smtp.eu.mailgun.org:465
           emailAlertingSmtpUsername: [email protected]
           externalDatabaseConnectionsEnabled: 'true'
-          imageTag: v4.62.1
+          imageTag: fix_netpol
           quotasEnabled: 'false'
           serviceName: postgresql
           sgNamespace: stackgres

component/tests/golden/vshn/appcat/appcat/21_composition_vshn_redis.yaml

@@ -608,7 +608,7 @@ spec:
           emailAlertingSmtpFromAddress: [email protected]
           emailAlertingSmtpHost: smtp.eu.mailgun.org:465
           emailAlertingSmtpUsername: [email protected]
-          imageTag: v4.62.1
+          imageTag: fix_netpol
           maintenanceSA: helm-based-service-maintenance
           quotasEnabled: 'false'
           restoreSA: redisrestoreserviceaccount

component/tests/golden/vshn/appcat/appcat/controllers/appcat/30_deployment.yaml

@@ -23,7 +23,7 @@ spec:
           env:
             - name: PLANS_NAMESPACE
               value: syn-appcat
-          image: ghcr.io/vshn/appcat:v4.62.1
+          image: ghcr.io/vshn/appcat:fix_netpol
           livenessProbe:
             httpGet:
               path: /healthz

component/tests/golden/vshn/appcat/appcat/sla_reporter/01_cronjob.yaml

@@ -30,7 +30,7 @@ spec:
               envFrom:
                 - secretRef:
                     name: appcat-sla-reports-creds
-              image: ghcr.io/vshn/appcat:v4.62.1
+              image: ghcr.io/vshn/appcat:fix_netpol
               name: sla-reporter
               resources:
                 limits:

component/tests/golden/vshn/appcat/appcat/sli_exporter/apps_v1_deployment_appcat-sliexporter-controller-manager.yaml

@@ -32,7 +32,9 @@ spec:
           value: "false"
         - name: APPCAT_SLI_VSHNMINIO
           value: "false"
-        image: ghcr.io/vshn/appcat:v4.62.1
+        - name: APPCAT_SLI_VSHNKEYCLOAK
+          value: "true"
+        image: ghcr.io/vshn/appcat:fix_netpol
         livenessProbe:
           httpGet:
             path: /healthz

component/tests/golden/vshn/appcat/appcat/sli_exporter/rbac.authorization.k8s.io_v1_clusterrole_appcat-sliexporter-appcat-sli-exporter.yaml

@@ -111,3 +111,17 @@ rules:
   - xvshnredis/status
   verbs:
   - get
+- apiGroups:
+  - vshn.appcat.vshn.io
+  resources:
+  - xvsnkeycloaks
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - vshn.appcat.vshn.io
+  resources:
+  - xvsnkeycloaks/status
+  verbs:
+  - get

package/main.yaml

@@ -7,7 +7,7 @@ parameters:
     image:
       registry: ghcr.io
       repository: vshn/appcat
-      tag: v4.62.1
+      tag: fix/netpol
   components:
     appcat:
       url: https://github.com/vshn/component-appcat.git