feat: add keycloak in argocd

.github/renovate.json5

@@ -90,7 +90,7 @@
       depNameTemplate: 'ansible-core',
       datasourceTemplate: 'pypi',
     },
-    // match program version in defaults 
+    // match program version in ansible defaults 
     {
       fileMatch: [
         '(^|/)roles\\S+defaults/\\S+\\.ya?ml',
@@ -99,6 +99,16 @@
         'datasource=(?<datasource>\\S*)[\\s]+depName=(?<depName>\\S*)([\\s]+registryUrl=(?<registryUrl>\\S*))?\r?\n[\\S]+\\s"(?<currentValue>\\S+)"',
       ],
     },
+    // match github yaml in kustomization file
+    {
+      "fileMatch": [
+        "(^|/)kustomization.ya?ml$"
+      ],
+      "matchStrings": [
+        "https:\/\/raw\\.githubusercontent\\.com\/(?<depName>[^\/]*\/[^\/]*)\/(?<currentValue>.*?)\/"
+      ],
+      "datasourceTemplate": "github-tags",
+    },
   ],
   packageRules: [
     // group ansible version in one PR

argocd/applicationset.yaml

@@ -8,9 +8,18 @@ spec:
       elements:
       - appName: stakater
         namespace: stakater
+        syncWave: "-1"
+      - appName: keycloak
+        namespace: keycloak
+        syncWave: "-1"
+      - appName: keycloak-operator
+        namespace: keycloak-operator
+        syncWave: "0"
   template:
     metadata:
       name: '{{appName}}'
+      annotations:
+        argocd.argoproj.io/sync-wave: '{{syncWave}}'
     spec:
       project: default
       source:

argocd/keycloak-operator/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: keycloak
+
+resources:
+  - https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/22.0.5/kubernetes/keycloaks.k8s.keycloak.org-v1.yml
+  - https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/22.0.5/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml
+  - https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/22.0.5/kubernetes/kubernetes.yml

argocd/keycloak/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: keycloak
+
+resources:
+  - manifests/01_namespace.yaml
+  - manifests/02_service_account.yaml
+  - manifests/03_postgres.yaml
+  - manifests/04_keycloak.yaml
+  - manifests/05_ingress.yaml

argocd/keycloak/manifests/01_namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak

argocd/keycloak/manifests/02_service_account.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: keycloak
+  namespace: keycloak

argocd/keycloak/manifests/03_secret_store.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: vault
+  namespace: keycloak
+spec:
+  provider:
+    vault:
+      server: "https://vault.vault.svc:8200"
+      path: "secret"
+      version: "v2"
+      auth:
+        kubernetes:
+          mountPath: "kubernetes"
+          role: "keycloak"
+          serviceAccountRef:
+            name: "keycloak"
+      caProvider:
+        type: "ConfigMap"
+        namespace: "keycloak"
+        name: "homelab-ca"
+        key: "ca.crt"

argocd/keycloak/manifests/04_external_secret_postgres.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: vault-postgres
+  namespace: keycloak
+spec:
+  refreshInterval: "1m"
+  target:
+    creationPolicy: "Merge"
+    deletionPolicy: "Retain"
+  secretStoreRef:
+    kind: SecretStore
+    name: vault
+  data:
+    - secretKey: POSTGRES_USER
+      remoteRef:
+        key: secret/data/homelab/prod/keycloak
+        property: POSTGRES_USER
+    - secretKey: POSTGRES_PASSWORD
+      remoteRef:
+        key: secret/data/homelab/prod/keycloak
+        property: POSTGRES_PASSWORD

argocd/keycloak/manifests/04_external_secret_postgres_keycloak.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: vault-keycloak
+  namespace: keycloak
+spec:
+  refreshInterval: "1m"
+  target:
+    creationPolicy: "Merge"
+    deletionPolicy: "Retain"
+  secretStoreRef:
+    kind: SecretStore
+    name: vault
+  data:
+    - secretKey: KC_DB_USERNAME
+      remoteRef:
+        key: secret/data/homelab/prod/keycloak
+        property: KC_DB_USERNAME
+    - secretKey: KC_DB_PASSWORD
+      remoteRef:
+        key: secret/data/homelab/prod/keycloak
+        property: KC_DB_PASSWORD
+    - secretKey: KEYCLOAK_ADMIN
+      remoteRef:
+        key: secret/data/homelab/prod/keycloak
+        property: KEYCLOAK_ADMIN
+    - secretKey: KEYCLOAK_ADMIN_PASSWORD
+      remoteRef:
+        key: secret/data/homelab/prod/keycloak
+        property: KEYCLOAK_ADMIN_PASSWORD

argocd/keycloak/manifests/05_postgres.yaml

@@ -0,0 +1,66 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres
+  namespace: keycloak
+spec:
+  ports:
+  - port: 5432
+    name: postgres
+  selector:
+    app.kubernetes.io/name: keycloak-postgres
+    app.kubernetes.io/instance: keycloak-postgres
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgres
+  namespace: keycloak
+spec:
+  serviceName: postgres
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: keycloak-postgres
+      app.kubernetes.io/instance: keycloak-postgres
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: keycloak-postgres
+        app.kubernetes.io/instance: keycloak-postgres
+    spec:
+      serviceAccountName: keycloak
+      containers:
+        - name: postgres
+          image: postgres:16.0
+          command:
+            - /bin/bash
+            - -c
+          args:
+            - source /vault/secrets/config && docker-entrypoint.sh postgres
+          env:
+            - name: PGDATA
+              value: /var/lib/postgresql/data/pgdata
+          envFrom:
+            - secretRef:
+                name: vault
+          ports:
+            - name: postgres
+              containerPort: 5432
+          volumeMounts:
+            - name: postgres-pv-claim
+              mountPath: /var/lib/postgresql/data
+      volumes:
+        - name: vault
+          secret:
+            secretName: vault-postgres
+  volumeClaimTemplates:
+    - metadata:
+        name: postgres-pv-claim
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 10Gi

argocd/keycloak/manifests/06_keycloak.yaml

@@ -0,0 +1,96 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak
+  namespace: keycloak
+  labels:
+    app.kubernetes.io/name: keycloak
+    app.kubernetes.io/instance: keycloak
+spec:
+  ports:
+  - name: http
+    port: 80
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/name: keycloak
+    app.kubernetes.io/instance: keycloak
+  ipFamilyPolicy: PreferDualStack
+  type: ClusterIP
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keycloak
+  namespace: keycloak
+  labels:
+    app.kubernetes.io/name: keycloak
+    app.kubernetes.io/instance: keycloak
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: keycloak
+      app.kubernetes.io/instance: keycloak
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: keycloak
+        app.kubernetes.io/instance: keycloak
+    spec:
+      serviceAccountName: keycloak
+      containers:
+        - name: keycloak
+          image: quay.io/keycloak/keycloak:22.0.5
+          command:
+            - /bin/bash
+            - -c
+          args:
+            - source /vault/secrets/config && /opt/keycloak/bin/kc.sh start
+          env:
+            - name: KC_PROXY
+              value: "edge"
+            - name: KC_HEALTH_ENABLED
+              value: "true"
+            - name: KC_METRICS_ENABLED
+              value: "true"
+            - name: KC_HOSTNAME_STRICT_HTTPS
+              value: "false"
+            - name: KC_LOG_LEVEL
+              value: INFO
+            - name: KC_DB
+              value: postgres
+            - name: KC_HOSTNAME
+              value: sso.unicornafk.fr
+            - name: KC_DB_URL
+              value: jdbc:postgresql://postgres/keycloak
+          envFrom:
+            - secretRef:
+                name: vault
+          ports:
+            - name: http
+              containerPort: 8080
+          readinessProbe:
+            httpGet:
+              path: /health/ready
+              port: 8080
+            initialDelaySeconds: 250
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /health/live
+              port: 8080
+            initialDelaySeconds: 500
+            periodSeconds: 30
+          resources:
+              limits:
+                memory: 2Gi
+                cpu: "1"
+              requests:
+                memory: 256Mi
+                cpu: "0.2"
+      volumes:
+        - name: vault
+          secret:
+            secretName: vault-keycloak

argocd/keycloak/manifests/07_ingress.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: keycloak-external
+  namespace: keycloak
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  rules:
+    - host: sso.adminafk.fr
+      http:
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: keycloak
+                port:
+                  name: http
+  tls:
+    - hosts:
+        - sso.adminafk.fr
+      secretName: sso.adminafk.fr-tls
+  ingressClassName: ingress-external