diff --git a/k8s/core/keycloak/app.yaml b/k8s/core/keycloak/app.yaml new file mode 100644 index 0000000..eb3a196 --- /dev/null +++ b/k8s/core/keycloak/app.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: keycloak + namespace: argocd +spec: + project: core + destination: + namespace: keycloak + server: https://kubernetes.default.svc + source: + repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git + targetRevision: HEAD + path: k8s/core/keycloak + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true diff --git a/k8s/core/keycloak/external-secrets.yaml b/k8s/core/keycloak/external-secrets.yaml new file mode 100644 index 0000000..87b04d4 --- /dev/null +++ b/k8s/core/keycloak/external-secrets.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: keycloak-creds +spec: + target: + name: keycloak-creds + deletionPolicy: Delete + template: + type: Opaque + data: + KC_DB_USERNAME: keycloak + KC_DB_PASSWORD: |- + {{ .db_password }} + KC_BOOTSTRAP_ADMIN_USERNAME: admin + KC_BOOTSTRAP_ADMIN_PASSWORD: |- + {{ .admin_password }} + data: + - secretKey: db_password + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: 2a9deb39-ef22-433e-a1be-df1555625e22 + property: fields[18].value + - secretKey: admin_password + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + conversionStrategy: Default + decodingStrategy: None + metadataPolicy: None + key: 9422b636-a91d-40e4-bf98-925b2a3f831d + property: login.password diff --git a/k8s/core/keycloak/kustomization.yaml b/k8s/core/keycloak/kustomization.yaml new file mode 100644 index 0000000..6f3364d --- /dev/null +++ b/k8s/core/keycloak/kustomization.yaml @@ -0,0 +1,14 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - app.yaml + - external-secrets.yaml + +helmCharts: + - name: keycloakx + repo: https://codecentric.github.io/helm-charts + version: 7.1.11 + releaseName: keycloak + namespace: keycloak + valuesFile: values.yaml diff --git a/k8s/core/keycloak/values.yaml b/k8s/core/keycloak/values.yaml new file mode 100644 index 0000000..6a0a539 --- /dev/null +++ b/k8s/core/keycloak/values.yaml @@ -0,0 +1,81 @@ +replicas: 1 + +image: + repository: quay.io/keycloak/keycloak + tag: "26.5.6" + +command: + - "/opt/keycloak/bin/kc.sh" + - "start" + - "--http-port=8080" + - "--hostname-strict=false" + - "--proxy-headers=xforwarded" + +extraEnvFrom: | + - secretRef: + name: keycloak-creds + +extraEnv: | + - name: KC_DB + value: postgres + - name: KC_DB_URL_HOST + value: psql.psql.svc + - name: KC_DB_URL_PORT + value: "5432" + - name: KC_DB_URL_DATABASE + value: keycloak + - name: KC_HOSTNAME + value: auth.hexor.cy + - name: KC_HTTP_ENABLED + value: "true" + - name: KC_HEALTH_ENABLED + value: "true" + - name: KC_METRICS_ENABLED + value: "true" + - name: JAVA_OPTS_APPEND + value: "-Djgroups.dns.query=keycloak-headless.keycloak.svc" + +dbchecker: + enabled: true + +database: + vendor: postgres + hostname: psql.psql.svc + port: 5432 + database: keycloak + existingSecret: keycloak-creds + existingSecretKey: KC_DB_PASSWORD + +service: + type: ClusterIP + +ingress: + enabled: true + ingressClassName: traefik + annotations: + cert-manager.io/cluster-issuer: letsencrypt + traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd + rules: + - host: auth.hexor.cy + paths: + - path: / + pathType: Prefix + tls: + - secretName: keycloak-tls + hosts: + - auth.hexor.cy + +resources: + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: "1" + memory: 1Gi + +nodeSelector: + kubernetes.io/hostname: master.tail2fe2d.ts.net + +tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule