From ce672388b2864c0a35e18773b3591229569c034a Mon Sep 17 00:00:00 2001 From: Finn Date: Wed, 10 Jul 2024 20:24:06 -0700 Subject: [PATCH] add keycloak --- k8s/keycloak/database.yaml | 22 +++++++++ k8s/keycloak/deployment.yaml | 85 ++++++++++++++++++++++++++++++++ k8s/keycloak/ingress.yaml | 44 +++++++++++++++++ k8s/keycloak/kustomization.yaml | 16 ++++++ k8s/keycloak/namespace.yaml | 4 ++ k8s/keycloak/pki.yaml | 45 +++++++++++++++++ k8s/keycloak/servicemonitor.yaml | 17 +++++++ k8s/kustomization.yaml | 1 + 8 files changed, 234 insertions(+) create mode 100644 k8s/keycloak/database.yaml create mode 100644 k8s/keycloak/deployment.yaml create mode 100644 k8s/keycloak/ingress.yaml create mode 100644 k8s/keycloak/kustomization.yaml create mode 100644 k8s/keycloak/namespace.yaml create mode 100644 k8s/keycloak/pki.yaml create mode 100644 k8s/keycloak/servicemonitor.yaml diff --git a/k8s/keycloak/database.yaml b/k8s/keycloak/database.yaml new file mode 100644 index 0000000..8b51691 --- /dev/null +++ b/k8s/keycloak/database.yaml @@ -0,0 +1,22 @@ +apiVersion: "acid.zalan.do/v1" +kind: postgresql +metadata: + name: keycloak-database +spec: + teamId: keycloak + volume: + size: 1Gi + numberOfInstances: 2 + users: + superuser: + - superuser + - createdb + keycloak: [] + databases: + keycloak: keycloak + preparedDatabases: + keycloak: {} + postgresql: + version: "16" + tls: + secretName: database-certificate diff --git a/k8s/keycloak/deployment.yaml b/k8s/keycloak/deployment.yaml new file mode 100644 index 0000000..35775c3 --- /dev/null +++ b/k8s/keycloak/deployment.yaml @@ -0,0 +1,85 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: keycloak + labels: + app: keycloak +spec: + replicas: 2 + selector: + matchLabels: + app: keycloak + template: + metadata: + labels: + app: keycloak + spec: + containers: + - name: keycloak + image: git.janky.solutions/jankysolutions/infra/keycloak:25.0 + imagePullPolicy: Always + resources: {} + volumeMounts: + - name: certs + mountPath: /etc/certs + readOnly: true + - name: postgres-ca + mountPath: /opt/keycloak/.postgresql/root.crt + subPath: ca.crt + readOnly: true + env: + - name: KEYCLOAK_ADMIN + value: "admin" + - name: KEYCLOAK_ADMIN_PASSWORD + value: "admin" + - name: KC_HTTPS_CERTIFICATE_FILE + value: "/etc/certs/tls.crt" + - name: KC_HTTPS_CERTIFICATE_KEY_FILE + value: "/etc/certs/tls.key" + - name: KC_HEALTH_ENABLED + value: "true" + - name: KC_METRICS_ENABLED + value: "true" + - name: KC_HOSTNAME + value: https://auth-next.janky.solutions + - name: KC_PROXY + value: reencrypt + - name: KC_PROXY_HEADERS + value: xforwarded + - name: KC_DB + value: postgres + - name: KC_DB_URL + value: "jdbc:postgresql://keycloak-database.keycloak.svc.cluster.local/keycloak?ssl=true" + - name: KC_DB_USERNAME + valueFrom: + secretKeyRef: + name: keycloak.keycloak-database.credentials.postgresql.acid.zalan.do + key: username + - name: KC_DB_PASSWORD + valueFrom: + secretKeyRef: + name: keycloak.keycloak-database.credentials.postgresql.acid.zalan.do + key: password + - name: jgroups.dns.query + value: keycloak + ports: + - name: jgroups + containerPort: 7600 + - name: web + containerPort: 8443 + - name: management + containerPort: 9000 + readinessProbe: + httpGet: + scheme: HTTPS + path: /health/ready + port: 9000 + initialDelaySeconds: 60 + periodSeconds: 1 + volumes: + - name: certs + secret: + secretName: keycloak-frontend + - name: postgres-ca + secret: + secretName: database-certificate diff --git a/k8s/keycloak/ingress.yaml b/k8s/keycloak/ingress.yaml new file mode 100644 index 0000000..1c68393 --- /dev/null +++ b/k8s/keycloak/ingress.yaml @@ -0,0 +1,44 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: ServersTransport +metadata: + name: keycloak-frontend +spec: + serverName: keycloak.keycloak.svc.cluster.local + rootCAsSecrets: + - keycloak-frontend +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: keycloak +spec: + rules: + - host: auth-next.janky.solutions + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: keycloak + port: + name: web +--- +apiVersion: v1 +kind: Service +metadata: + name: keycloak + labels: + app: keycloak # so prometheus can find this service + annotations: + traefik.ingress.kubernetes.io/service.serverstransport: keycloak-keycloak-frontend@kubernetescrd + traefik.ingress.kubernetes.io/service.serversscheme: https +spec: + ports: + - name: web + port: 8443 + - name: management + port: 9000 + clusterIP: None + selector: + app: keycloak diff --git a/k8s/keycloak/kustomization.yaml b/k8s/keycloak/kustomization.yaml new file mode 100644 index 0000000..74b86fe --- /dev/null +++ b/k8s/keycloak/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: keycloak +resources: + - namespace.yaml + - ingress.yaml + - database.yaml + - deployment.yaml + - pki.yaml + - servicemonitor.yaml +configMapGenerator: + - name: keycloak + literals: + - KC_HOSTNAME=auth-next.janky.solutions + - KC_METRICS_ENABLED="true" + - KC_HEALTH_ENABLED="true" diff --git a/k8s/keycloak/namespace.yaml b/k8s/keycloak/namespace.yaml new file mode 100644 index 0000000..80e7888 --- /dev/null +++ b/k8s/keycloak/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: keycloak diff --git a/k8s/keycloak/pki.yaml b/k8s/keycloak/pki.yaml new file mode 100644 index 0000000..7d1ebe6 --- /dev/null +++ b/k8s/keycloak/pki.yaml @@ -0,0 +1,45 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ca +spec: + isCA: true + commonName: keycloak-pki-ca + secretName: ca + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: selfsigned + kind: ClusterIssuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: keycloak +spec: + ca: + secretName: ca +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: keycloak-frontend +spec: + issuerRef: + name: keycloak + secretName: keycloak-frontend + dnsNames: + - keycloak.keycloak.svc.cluster.local +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: database +spec: + issuerRef: + name: keycloak + secretName: database-certificate + dnsNames: + - keycloak-database.keycloak.svc.cluster.local diff --git a/k8s/keycloak/servicemonitor.yaml b/k8s/keycloak/servicemonitor.yaml new file mode 100644 index 0000000..1125234 --- /dev/null +++ b/k8s/keycloak/servicemonitor.yaml @@ -0,0 +1,17 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: keycloak +spec: + endpoints: + - port: management + scheme: https + tlsConfig: + ca: + secret: + name: keycloak-frontend + key: ca.crt + serverName: keycloak.keycloak.svc.cluster.local + selector: + matchLabels: + app: keycloak diff --git a/k8s/kustomization.yaml b/k8s/kustomization.yaml index a5fa499..8fed4a4 100644 --- a/k8s/kustomization.yaml +++ b/k8s/kustomization.yaml @@ -11,3 +11,4 @@ resources: - s3staticsites - shlink - system-upgrade + - keycloak