Added keycloak

k8s/core/keycloak/app.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: keycloak
+  namespace: argocd
+spec:
+  project: core
+  destination:
+    namespace: keycloak
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/core/keycloak
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true

k8s/core/keycloak/external-secrets.yaml

@@ -0,0 +1,41 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: keycloak-creds
+spec:
+  target:
+    name: keycloak-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        KC_DB_USERNAME: keycloak
+        KC_DB_PASSWORD: |-
+          {{ .db_password }}
+        KC_BOOTSTRAP_ADMIN_USERNAME: admin
+        KC_BOOTSTRAP_ADMIN_PASSWORD: |-
+          {{ .admin_password }}
+  data:
+    - secretKey: db_password
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 2a9deb39-ef22-433e-a1be-df1555625e22
+        property: fields[18].value
+    - secretKey: admin_password
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+        key: 9422b636-a91d-40e4-bf98-925b2a3f831d
+        property: login.password

k8s/core/keycloak/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - external-secrets.yaml
+
+helmCharts:
+  - name: keycloakx
+    repo: https://codecentric.github.io/helm-charts
+    version: 7.1.11
+    releaseName: keycloak
+    namespace: keycloak
+    valuesFile: values.yaml

k8s/core/keycloak/values.yaml

@@ -0,0 +1,81 @@
+replicas: 1
+
+image:
+  repository: quay.io/keycloak/keycloak
+  tag: "26.5.6"
+
+command:
+  - "/opt/keycloak/bin/kc.sh"
+  - "start"
+  - "--http-port=8080"
+  - "--hostname-strict=false"
+  - "--proxy-headers=xforwarded"
+
+extraEnvFrom: |
+  - secretRef:
+      name: keycloak-creds
+
+extraEnv: |
+  - name: KC_DB
+    value: postgres
+  - name: KC_DB_URL_HOST
+    value: psql.psql.svc
+  - name: KC_DB_URL_PORT
+    value: "5432"
+  - name: KC_DB_URL_DATABASE
+    value: keycloak
+  - name: KC_HOSTNAME
+    value: auth.hexor.cy
+  - name: KC_HTTP_ENABLED
+    value: "true"
+  - name: KC_HEALTH_ENABLED
+    value: "true"
+  - name: KC_METRICS_ENABLED
+    value: "true"
+  - name: JAVA_OPTS_APPEND
+    value: "-Djgroups.dns.query=keycloak-headless.keycloak.svc"
+
+dbchecker:
+  enabled: true
+
+database:
+  vendor: postgres
+  hostname: psql.psql.svc
+  port: 5432
+  database: keycloak
+  existingSecret: keycloak-creds
+  existingSecretKey: KC_DB_PASSWORD
+
+service:
+  type: ClusterIP
+
+ingress:
+  enabled: true
+  ingressClassName: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+  rules:
+    - host: auth.hexor.cy
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: keycloak-tls
+      hosts:
+        - auth.hexor.cy
+
+resources:
+  requests:
+    cpu: 200m
+    memory: 512Mi
+  limits:
+    cpu: "1"
+    memory: 1Gi
+
+nodeSelector:
+  kubernetes.io/hostname: master.tail2fe2d.ts.net
+
+tolerations:
+  - key: node-role.kubernetes.io/master
+    effect: NoSchedule