add keycloak

Author: klinch0

.pre-commit-config.yaml

@@ -1,19 +1,4 @@
 repos:
-- repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.5.0
-  hooks:
-    - id: end-of-file-fixer
-    - id: trailing-whitespace
-    - id: mixed-line-ending
-      args: [--fix=lf]
-    - id: check-yaml
-      exclude: '^.*templates/.*\.yaml$'
-      args: [--unsafe]
-- repo: https://github.com/igorshubovych/markdownlint-cli
-  rev: v0.42.0
-  hooks:
-    - id: markdownlint
-      args: [--fix, --disable, MD013, MD041, --]
 -   repo: local
     hooks:
     - id: gen-versions-map

packages/apps/tenant/templates/tenant.yaml

@@ -88,3 +88,57 @@ roleRef:
   kind: Role
   name: {{ include "tenant.name" . }}
   apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cozy:{{ include "tenant.name" . }}-rw
+  namespace: cozy-public
+rules:
+- apiGroups: ["apps.cozystack.io/v1alpha1"]
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups: ["source.toolkit.fluxcd.io"]
+  resources: ["helm.toolkit.fluxcd.io/v2"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cozy:{{ include "tenant.name" . }}-rw
+  namespace: cozy-public
+subjects:
+- kind: Group
+  name: cozy:{{ include "tenant.name" . }}-rw
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: cozy:{{ include "tenant.name" . }}-rw
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cozy:{{ include "tenant.name" . }}-ro
+  namespace: cozy-public
+rules:
+- apiGroups: ["apps.cozystack.io/v1alpha1"]
+  resources: ["*"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["source.toolkit.fluxcd.io"]
+  resources: ["helm.toolkit.fluxcd.io/v2"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cozy:{{ include "tenant.name" . }}-ro
+  namespace: cozy-public
+subjects:
+- kind: Group
+  name: cozy:{{ include "tenant.name" . }}-ro
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: cozy:{{ include "tenant.name" . }}-ro
+  apiGroup: rbac.authorization.k8s.io

packages/core/platform/bundles/distro-full.yaml

@@ -174,3 +174,15 @@ releases:
   namespace: cozy-external-secrets-operator
   optional: true
   dependsOn: [cilium]
+
+- name: postgres-instance
+  releaseName: postgres-instance
+  chart: cozy-postgres-instance
+  namespace: cozy-keycloak
+  dependsOn: [postgres-operator]
+
+- name: keycloak
+  releaseName: keycloak
+  chart: cozy-keycloak
+  namespace: cozy-keycloak
+  dependsOn: [postgres-instance]

packages/core/platform/bundles/distro-hosted.yaml

@@ -124,3 +124,15 @@ releases:
   namespace: cozy-external-secrets-operator
   optional: true
   dependsOn: []
+
+- name: postgres-instance
+  releaseName: postgres-instance
+  chart: cozy-postgres-instance
+  namespace: cozy-keycloak
+  dependsOn: [postgres-operator]
+
+- name: keycloak
+  releaseName: keycloak
+  chart: cozy-keycloak
+  namespace: cozy-keycloak
+  dependsOn: [postgres-instance]

packages/core/platform/bundles/paas-full.yaml

@@ -249,3 +249,15 @@ releases:
   namespace: cozy-external-secrets-operator
   optional: true
   dependsOn: [cilium,kubeovn]
+
+- name: postgres-instance
+  releaseName: postgres-instance
+  chart: cozy-postgres-instance
+  namespace: cozy-keycloak
+  dependsOn: [postgres-operator]
+
+- name: keycloak
+  releaseName: keycloak
+  chart: cozy-keycloak
+  namespace: cozy-keycloak
+  dependsOn: [postgres-instance]

packages/core/platform/bundles/paas-hosted.yaml

@@ -19,7 +19,7 @@ releases:
   chart: cozy-cert-manager-crds
   namespace: cozy-cert-manager
   dependsOn: []
-  
+
 - name: cozystack-api
   releaseName: cozystack-api
   chart: cozy-cozystack-api
@@ -145,3 +145,15 @@ releases:
             {{- end }}
   {{- end }}
   {{- end }}
+
+- name: postgres-instance
+  releaseName: postgres-instance
+  chart: cozy-postgres-instance
+  namespace: cozy-keycloak
+  dependsOn: [postgres-operator]
+
+- name: keycloak
+  releaseName: keycloak
+  chart: cozy-keycloak
+  namespace: cozy-keycloak
+  dependsOn: [postgres-instance]

packages/system/keycloak/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-keycloak
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/keycloak/templates/ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: keycloak-ingress
+  {{- with .Values.ingress.Annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+  tls:
+  - hosts:
+      - {{ .Values.ingress.host }}
+    secretName: web-tls
+  rules:
+  - host: {{ .Values.ingress.host }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: keycloak-http
+            port:
+              name: http

packages/system/keycloak/templates/init-script.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: keycloak-init-script
+data:
+  init-realm.sh: |
+    #!/bin/bash
+    set -e
+
+    until curl -sSf http://localhost:8080/realms/master; do
+      echo "Waiting for Keycloak to be ready..."
+      sleep 5
+    done
+
+    TOKEN=$(curl -s -X POST "http://localhost:8080/realms/master/protocol/openid-connect/token" \
+      -H "Content-Type: application/x-www-form-urlencoded" \
+      -d "username={{ .Values.user }}" \
+      -d "password={{ .Values.password }}" \
+      -d 'grant_type=password' \
+      -d 'client_id=admin-cli' | jq -r '.access_token')
+
+    curl -s -X POST "http://localhost:8080/admin/realms" \
+      -H "Authorization: Bearer $TOKEN" \
+      -H "Content-Type: application/json" \
+      -d '{
+            "realm": "cozy",
+            "enabled": true
+          }'
+
+    echo "Realm 'cozy' created successfully."

packages/system/keycloak/templates/service-headless.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak-headless
+spec:
+  type: ClusterIP
+  clusterIP: None
+  selector:
+    app: keycloak-ha

packages/system/keycloak/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak-http
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 8080
+      protocol: TCP
+  selector:
+    app: keycloak-ha

packages/system/keycloak/templates/sts.yaml

@@ -0,0 +1,115 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak-ha
+spec:
+  selector:
+    matchLabels:
+      app: keycloak-ha
+  replicas: 2
+  serviceName: keycloak-headless
+  podManagementPolicy: Parallel
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: keycloak-ha
+    spec:
+      restartPolicy: Always
+      securityContext:
+        fsGroup: 1000
+      containers:
+        - name: keycloak
+          image: {{ .Values.image }}
+          imagePullPolicy: Always
+         {{- if or .Values.resources.requests .Values.resources.limits }}
+          resources:
+            {{- if .Values.resources.limits }}
+            limits:
+              {{- toYaml .Values.resources.limits | nindent 14 }}
+            {{- end }}
+            {{- if .Values.resources.requests }}
+            requests:
+              {{- toYaml .Values.resources.requests | nindent 14 }}
+            {{- end }}
+          {{- end }}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            capabilities:
+              drop:
+                - ALL
+                - CAP_NET_RAW
+            readOnlyRootFilesystem: false
+            allowPrivilegeEscalation: false
+          args:
+            - start
+          env:
+            - name: KC_METRICS_ENABLED
+              value: "true"
+            - name: KC_LOG_LEVEL
+              value: "info"
+            - name: KC_CACHE
+              value: "ispn"
+            - name: KC_CACHE_STACK
+              value: "kubernetes"
+            - name: KC_PROXY
+              value: "edge"
+            - name: KEYCLOAK_ADMIN
+              value: {{ .Values.user }}
+            - name: KEYCLOAK_ADMIN_PASSWORD
+              value: {{ .Values.password }}
+            - name: KC_DB
+              value: "postgres"
+            - name: KC_DB_URL_HOST
+              value: "postgres-keycloak-rw"
+            - name: KC_DB_URL_PORT
+              value: "5432"
+            - name: KC_DB_USERNAME
+              valueFrom:
+              value: keycloak
+            - name: KC_DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgres-keycloak-credentials
+                  key: "keycloak"
+            - name: KC_DB_URL_DATABASE
+              value: keycloak
+            - name: KC_FEATURES
+              value: "docker"
+            - name: KC_HOSTNAME
+              value: {{ .Values.ingress.host }}
+            - name: JAVA_OPTS_APPEND
+              value: "-Djgroups.dns.query=keycloak-headless.keycloak.svc.cozy.local"
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 120
+            timeoutSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /realms/master
+              port: http
+            initialDelaySeconds: 60
+            timeoutSeconds: 1
+          lifecycle:
+            postStart:
+              exec:
+                command: ["/bin/bash", "-c", "if [[ $(HOSTNAME) == *-0 ]]; then /scripts/init-realm.sh; fi"]
+      volumes:
+        - name: init-script
+          configMap:
+            name: keycloak-init-script
+      volumeMounts:
+        - name: init-script
+          mountPath: /scripts
+          readOnly: true
+      terminationGracePeriodSeconds: 60

packages/system/keycloak/values.yaml

@@ -0,0 +1,23 @@
+image: quay.io/keycloak/keycloak:26.0.4
+host: keycloak.infra.aenix.org
+user: admin
+password: "{{ randAlphaNum 16 }}"
+
+ingress:
+  host: keycloak.example.com
+  issuer: letsencrypt-prod
+  ingressClassName: tenent-root
+  annotations:
+    acme.cert-manager.io/http01-ingress-class: tenant-root
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/affinity: "cookie"
+    nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
+    nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
+    nginx.ingress.kubernetes.io/session-cookie-name: "keycloak-cookie"
+
+resources:
+  limits:
+    memory: 1500Mi
+  requests:
+    memory: 500Mi
+    cpu: 100m

packages/system/postgres-instance/Chart.yaml

@@ -0,0 +1,3 @@
+apiVersion: v2
+name: cozy-postgres-keycloak
+version: 0.0.0 # Placeholder, the actual version will be automatically set during the build process

packages/system/postgres-instance/templates/cluster.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: {{ .Release.Name }}
+spec:
+  instances: {{ .Values.replicas }}
+  enableSuperuserAccess: true
+  monitoring:
+    enablePodMonitor: true
+  storage:
+    size: {{ required ".Values.size is required" .Values.size }}
+    {{- with .Values.storageClass }}
+    storageClass: {{ . }}
+    {{- end }}
+  inheritedMetadata:
+    labels:
+      policy.cozystack.io/allow-to-apiserver: "true"