forked from open-cluster-management-io/policy-collection
-
Notifications
You must be signed in to change notification settings - Fork 31
/
policy-rhsso-setup-for-acm.yaml
75 lines (72 loc) · 2.35 KB
/
policy-rhsso-setup-for-acm.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# This policy stands up an instance of Keycloak on the hub-cluster,
# it also sets up for the KeyCloak Realm for use by OCM managed clusters
# This policy has a dependency on policy "install-rhsso-operator" policy (which installs the rhsso operator)
# and will only be applied if "install-rhsso-operator" is compliant
# Resources are setup in the same namespace as the rhsso operator (i.e rhsso)
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
annotations:
policy.open-cluster-management.io/categories: CM Configuration Management
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
policy.open-cluster-management.io/standards: NIST SP 800-53
labels:
app: sso
name: setup-rhsso-for-acm
namespace: rhsso-policies
spec:
dependencies:
- apiVersion: policy.open-cluster-management.io/v1
kind: Policy
name: install-rhsso-operator
namespace: rhsso-policies
compliance: Compliant
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: setup-rhsso-for-acm
spec:
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
labels:
app: sso
name: rhsso
namespace: rhsso
spec:
externalAccess:
enabled: true
instances: 1
keycloakDeploymentSpec:
experimental:
env:
- name: JAVA_TOOL_OPTIONS
value: -Dcom.redhat.fips=false
imagePullPolicy: Always
- complianceType: musthave
objectDefinition:
apiVersion: keycloak.org/v1alpha1
kind: KeycloakRealm
metadata:
labels:
app: sso
name: acm
namespace: rhsso
spec:
instanceSelector:
matchLabels:
app: sso
realm:
displayName: ACM Clusters
enabled: true
id: acm
realm: acm
remediationAction: enforce
severity: medium
remediationAction: enforce