From 4febc5876cb02ee87a5156345a5e117f34816b15 Mon Sep 17 00:00:00 2001 From: Ludovic Ortega Date: Fri, 3 Nov 2023 14:06:46 +0100 Subject: [PATCH] feat: add keycloak in argocd --- .github/renovate.json5 | 12 ++- argocd/applicationset.yaml | 9 ++ argocd/keycloak-operator/kustomization.yaml | 8 ++ argocd/keycloak/kustomization.yaml | 10 ++ argocd/keycloak/manifests/01_namespace.yaml | 4 + .../manifests/02_service_account.yaml | 6 ++ .../keycloak/manifests/03_secret_store.yaml | 23 +++++ .../04_external_secret_postgres.yaml | 23 +++++ .../04_external_secret_postgres_keycloak.yaml | 31 ++++++ argocd/keycloak/manifests/05_postgres.yaml | 66 +++++++++++++ argocd/keycloak/manifests/06_keycloak.yaml | 96 +++++++++++++++++++ argocd/keycloak/manifests/07_ingress.yaml | 25 +++++ 12 files changed, 312 insertions(+), 1 deletion(-) create mode 100644 argocd/keycloak-operator/kustomization.yaml create mode 100644 argocd/keycloak/kustomization.yaml create mode 100644 argocd/keycloak/manifests/01_namespace.yaml create mode 100644 argocd/keycloak/manifests/02_service_account.yaml create mode 100644 argocd/keycloak/manifests/03_secret_store.yaml create mode 100644 argocd/keycloak/manifests/04_external_secret_postgres.yaml create mode 100644 argocd/keycloak/manifests/04_external_secret_postgres_keycloak.yaml create mode 100644 argocd/keycloak/manifests/05_postgres.yaml create mode 100644 argocd/keycloak/manifests/06_keycloak.yaml create mode 100644 argocd/keycloak/manifests/07_ingress.yaml diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 15c1ed24..974c98e8 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -90,7 +90,7 @@ depNameTemplate: 'ansible-core', datasourceTemplate: 'pypi', }, - // match program version in defaults + // match program version in ansible defaults { fileMatch: [ '(^|/)roles\\S+defaults/\\S+\\.ya?ml', @@ -99,6 +99,16 @@ 'datasource=(?\\S*)[\\s]+depName=(?\\S*)([\\s]+registryUrl=(?\\S*))?\r?\n[\\S]+\\s"(?\\S+)"', ], }, + // match github yaml in kustomization file + { + "fileMatch": [ + "(^|/)kustomization.ya?ml$" + ], + "matchStrings": [ + "https:\/\/raw\\.githubusercontent\\.com\/(?[^\/]*\/[^\/]*)\/(?.*?)\/" + ], + "datasourceTemplate": "github-tags", + }, ], packageRules: [ // group ansible version in one PR diff --git a/argocd/applicationset.yaml b/argocd/applicationset.yaml index 08045434..046ca374 100644 --- a/argocd/applicationset.yaml +++ b/argocd/applicationset.yaml @@ -8,9 +8,18 @@ spec: elements: - appName: stakater namespace: stakater + syncWave: "-1" + - appName: keycloak + namespace: keycloak + syncWave: "-1" + - appName: keycloak-operator + namespace: keycloak-operator + syncWave: "0" template: metadata: name: '{{appName}}' + annotations: + argocd.argoproj.io/sync-wave: '{{syncWave}}' spec: project: default source: diff --git a/argocd/keycloak-operator/kustomization.yaml b/argocd/keycloak-operator/kustomization.yaml new file mode 100644 index 00000000..693af155 --- /dev/null +++ b/argocd/keycloak-operator/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: keycloak + +resources: + - https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/22.0.5/kubernetes/keycloaks.k8s.keycloak.org-v1.yml + - https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/22.0.5/kubernetes/keycloakrealmimports.k8s.keycloak.org-v1.yml + - https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/22.0.5/kubernetes/kubernetes.yml \ No newline at end of file diff --git a/argocd/keycloak/kustomization.yaml b/argocd/keycloak/kustomization.yaml new file mode 100644 index 00000000..0a730c40 --- /dev/null +++ b/argocd/keycloak/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: keycloak + +resources: + - manifests/01_namespace.yaml + - manifests/02_service_account.yaml + - manifests/03_postgres.yaml + - manifests/04_keycloak.yaml + - manifests/05_ingress.yaml \ No newline at end of file diff --git a/argocd/keycloak/manifests/01_namespace.yaml b/argocd/keycloak/manifests/01_namespace.yaml new file mode 100644 index 00000000..5e8adbfe --- /dev/null +++ b/argocd/keycloak/manifests/01_namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: keycloak \ No newline at end of file diff --git a/argocd/keycloak/manifests/02_service_account.yaml b/argocd/keycloak/manifests/02_service_account.yaml new file mode 100644 index 00000000..35d542bf --- /dev/null +++ b/argocd/keycloak/manifests/02_service_account.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keycloak + namespace: keycloak \ No newline at end of file diff --git a/argocd/keycloak/manifests/03_secret_store.yaml b/argocd/keycloak/manifests/03_secret_store.yaml new file mode 100644 index 00000000..b50af423 --- /dev/null +++ b/argocd/keycloak/manifests/03_secret_store.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: SecretStore +metadata: + name: vault + namespace: keycloak +spec: + provider: + vault: + server: "https://vault.vault.svc:8200" + path: "secret" + version: "v2" + auth: + kubernetes: + mountPath: "kubernetes" + role: "keycloak" + serviceAccountRef: + name: "keycloak" + caProvider: + type: "ConfigMap" + namespace: "keycloak" + name: "homelab-ca" + key: "ca.crt" diff --git a/argocd/keycloak/manifests/04_external_secret_postgres.yaml b/argocd/keycloak/manifests/04_external_secret_postgres.yaml new file mode 100644 index 00000000..71513183 --- /dev/null +++ b/argocd/keycloak/manifests/04_external_secret_postgres.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-postgres + namespace: keycloak +spec: + refreshInterval: "1m" + target: + creationPolicy: "Merge" + deletionPolicy: "Retain" + secretStoreRef: + kind: SecretStore + name: vault + data: + - secretKey: POSTGRES_USER + remoteRef: + key: secret/data/homelab/prod/keycloak + property: POSTGRES_USER + - secretKey: POSTGRES_PASSWORD + remoteRef: + key: secret/data/homelab/prod/keycloak + property: POSTGRES_PASSWORD \ No newline at end of file diff --git a/argocd/keycloak/manifests/04_external_secret_postgres_keycloak.yaml b/argocd/keycloak/manifests/04_external_secret_postgres_keycloak.yaml new file mode 100644 index 00000000..6001dbbf --- /dev/null +++ b/argocd/keycloak/manifests/04_external_secret_postgres_keycloak.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vault-keycloak + namespace: keycloak +spec: + refreshInterval: "1m" + target: + creationPolicy: "Merge" + deletionPolicy: "Retain" + secretStoreRef: + kind: SecretStore + name: vault + data: + - secretKey: KC_DB_USERNAME + remoteRef: + key: secret/data/homelab/prod/keycloak + property: KC_DB_USERNAME + - secretKey: KC_DB_PASSWORD + remoteRef: + key: secret/data/homelab/prod/keycloak + property: KC_DB_PASSWORD + - secretKey: KEYCLOAK_ADMIN + remoteRef: + key: secret/data/homelab/prod/keycloak + property: KEYCLOAK_ADMIN + - secretKey: KEYCLOAK_ADMIN_PASSWORD + remoteRef: + key: secret/data/homelab/prod/keycloak + property: KEYCLOAK_ADMIN_PASSWORD \ No newline at end of file diff --git a/argocd/keycloak/manifests/05_postgres.yaml b/argocd/keycloak/manifests/05_postgres.yaml new file mode 100644 index 00000000..cfd92bd5 --- /dev/null +++ b/argocd/keycloak/manifests/05_postgres.yaml @@ -0,0 +1,66 @@ +apiVersion: v1 +kind: Service +metadata: + name: postgres + namespace: keycloak +spec: + ports: + - port: 5432 + name: postgres + selector: + app.kubernetes.io/name: keycloak-postgres + app.kubernetes.io/instance: keycloak-postgres + type: ClusterIP +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: postgres + namespace: keycloak +spec: + serviceName: postgres + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: keycloak-postgres + app.kubernetes.io/instance: keycloak-postgres + template: + metadata: + labels: + app.kubernetes.io/name: keycloak-postgres + app.kubernetes.io/instance: keycloak-postgres + spec: + serviceAccountName: keycloak + containers: + - name: postgres + image: postgres:16.0 + command: + - /bin/bash + - -c + args: + - source /vault/secrets/config && docker-entrypoint.sh postgres + env: + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + envFrom: + - secretRef: + name: vault + ports: + - name: postgres + containerPort: 5432 + volumeMounts: + - name: postgres-pv-claim + mountPath: /var/lib/postgresql/data + volumes: + - name: vault + secret: + secretName: vault-postgres + volumeClaimTemplates: + - metadata: + name: postgres-pv-claim + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi diff --git a/argocd/keycloak/manifests/06_keycloak.yaml b/argocd/keycloak/manifests/06_keycloak.yaml new file mode 100644 index 00000000..502dcb0b --- /dev/null +++ b/argocd/keycloak/manifests/06_keycloak.yaml @@ -0,0 +1,96 @@ +apiVersion: v1 +kind: Service +metadata: + name: keycloak + namespace: keycloak + labels: + app.kubernetes.io/name: keycloak + app.kubernetes.io/instance: keycloak +spec: + ports: + - name: http + port: 80 + targetPort: 8080 + selector: + app.kubernetes.io/name: keycloak + app.kubernetes.io/instance: keycloak + ipFamilyPolicy: PreferDualStack + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: keycloak + namespace: keycloak + labels: + app.kubernetes.io/name: keycloak + app.kubernetes.io/instance: keycloak + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: keycloak + app.kubernetes.io/instance: keycloak + template: + metadata: + labels: + app.kubernetes.io/name: keycloak + app.kubernetes.io/instance: keycloak + spec: + serviceAccountName: keycloak + containers: + - name: keycloak + image: quay.io/keycloak/keycloak:22.0.5 + command: + - /bin/bash + - -c + args: + - source /vault/secrets/config && /opt/keycloak/bin/kc.sh start + env: + - name: KC_PROXY + value: "edge" + - name: KC_HEALTH_ENABLED + value: "true" + - name: KC_METRICS_ENABLED + value: "true" + - name: KC_HOSTNAME_STRICT_HTTPS + value: "false" + - name: KC_LOG_LEVEL + value: INFO + - name: KC_DB + value: postgres + - name: KC_HOSTNAME + value: sso.unicornafk.fr + - name: KC_DB_URL + value: jdbc:postgresql://postgres/keycloak + envFrom: + - secretRef: + name: vault + ports: + - name: http + containerPort: 8080 + readinessProbe: + httpGet: + path: /health/ready + port: 8080 + initialDelaySeconds: 250 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /health/live + port: 8080 + initialDelaySeconds: 500 + periodSeconds: 30 + resources: + limits: + memory: 2Gi + cpu: "1" + requests: + memory: 256Mi + cpu: "0.2" + volumes: + - name: vault + secret: + secretName: vault-keycloak \ No newline at end of file diff --git a/argocd/keycloak/manifests/07_ingress.yaml b/argocd/keycloak/manifests/07_ingress.yaml new file mode 100644 index 00000000..d2b0b4ae --- /dev/null +++ b/argocd/keycloak/manifests/07_ingress.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: keycloak-external + namespace: keycloak + annotations: + cert-manager.io/cluster-issuer: letsencrypt +spec: + rules: + - host: sso.adminafk.fr + http: + paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: keycloak + port: + name: http + tls: + - hosts: + - sso.adminafk.fr + secretName: sso.adminafk.fr-tls + ingressClassName: ingress-external