add keycloak

k8s/keycloak/database.yaml

@@ -0,0 +1,22 @@
+apiVersion: "acid.zalan.do/v1"
+kind: postgresql
+metadata:
+  name: keycloak-database
+spec:
+  teamId: keycloak
+  volume:
+    size: 1Gi
+  numberOfInstances: 2
+  users:
+    superuser:
+    - superuser
+    - createdb
+    keycloak: []
+  databases:
+    keycloak: keycloak
+  preparedDatabases:
+    keycloak: {}
+  postgresql:
+    version: "16"
+  tls:
+    secretName: database-certificate

k8s/keycloak/deployment.yaml

@@ -0,0 +1,85 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: keycloak
+  template:
+    metadata:
+      labels:
+        app: keycloak
+    spec:
+      containers:
+        - name: keycloak
+          image: git.janky.solutions/jankysolutions/infra/keycloak:25.0
+          imagePullPolicy: Always
+          resources: {}
+          volumeMounts:
+          - name: certs
+            mountPath: /etc/certs
+            readOnly: true
+          - name: postgres-ca
+            mountPath: /opt/keycloak/.postgresql/root.crt
+            subPath: ca.crt
+            readOnly: true
+          env:
+            - name: KEYCLOAK_ADMIN
+              value: "admin"
+            - name: KEYCLOAK_ADMIN_PASSWORD
+              value: "admin"
+            - name: KC_HTTPS_CERTIFICATE_FILE
+              value: "/etc/certs/tls.crt"
+            - name: KC_HTTPS_CERTIFICATE_KEY_FILE
+              value: "/etc/certs/tls.key"
+            - name: KC_HEALTH_ENABLED
+              value: "true"
+            - name: KC_METRICS_ENABLED
+              value: "true"
+            - name: KC_HOSTNAME
+              value: https://auth-next.janky.solutions
+            - name: KC_PROXY
+              value: reencrypt
+            - name: KC_PROXY_HEADERS
+              value: xforwarded
+            - name: KC_DB
+              value: postgres
+            - name: KC_DB_URL
+              value: "jdbc:postgresql://keycloak-database.keycloak.svc.cluster.local/keycloak?ssl=true"
+            - name: KC_DB_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak.keycloak-database.credentials.postgresql.acid.zalan.do
+                  key: username
+            - name: KC_DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak.keycloak-database.credentials.postgresql.acid.zalan.do
+                  key: password
+            - name: jgroups.dns.query
+              value: keycloak
+          ports:
+            - name: jgroups
+              containerPort: 7600
+            - name: web
+              containerPort: 8443
+            - name: management
+              containerPort: 9000
+          readinessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /health/ready
+              port: 9000
+            initialDelaySeconds: 60
+            periodSeconds: 1
+      volumes:
+      - name: certs
+        secret:
+          secretName: keycloak-frontend
+      - name: postgres-ca
+        secret:
+          secretName: database-certificate

k8s/keycloak/ingress.yaml

@@ -0,0 +1,44 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: keycloak-frontend
+spec:
+  serverName: keycloak.keycloak.svc.cluster.local
+  rootCAsSecrets:
+    - keycloak-frontend
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: keycloak
+spec:
+  rules:
+    - host: auth-next.janky.solutions
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name:  keycloak
+                port:
+                  name: web
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak # so prometheus can find this service
+  annotations:
+    traefik.ingress.kubernetes.io/service.serverstransport: keycloak-keycloak-frontend@kubernetescrd
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+spec:
+  ports:
+  - name: web
+    port: 8443
+  - name: management
+    port: 9000
+  clusterIP: None
+  selector:
+    app: keycloak

k8s/keycloak/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: keycloak
+resources:
+  - namespace.yaml
+  - ingress.yaml
+  - database.yaml
+  - deployment.yaml
+  - pki.yaml
+  - servicemonitor.yaml
+configMapGenerator:
+  - name: keycloak
+    literals:
+      - KC_HOSTNAME=auth-next.janky.solutions
+      - KC_METRICS_ENABLED="true"
+      - KC_HEALTH_ENABLED="true"

k8s/keycloak/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak

k8s/keycloak/pki.yaml

@@ -0,0 +1,45 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ca
+spec:
+  isCA: true
+  commonName: keycloak-pki-ca
+  secretName: ca
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: keycloak
+spec:
+  ca:
+    secretName: ca
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: keycloak-frontend
+spec:
+  issuerRef:
+    name: keycloak
+  secretName: keycloak-frontend
+  dnsNames:
+  - keycloak.keycloak.svc.cluster.local
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: database
+spec:
+  issuerRef:
+    name: keycloak
+  secretName: database-certificate
+  dnsNames:
+  - keycloak-database.keycloak.svc.cluster.local

k8s/keycloak/servicemonitor.yaml

@@ -0,0 +1,17 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: keycloak
+spec:
+  endpoints:
+  - port: management
+    scheme: https
+    tlsConfig:
+      ca:
+        secret:
+          name: keycloak-frontend
+          key: ca.crt
+      serverName: keycloak.keycloak.svc.cluster.local
+  selector:
+    matchLabels:
+      app: keycloak

k8s/kustomization.yaml

@@ -11,3 +11,4 @@ resources:
   - s3staticsites
   - shlink
   - system-upgrade
+  - keycloak