add keycloak
This commit is contained in:
parent
7d7388efff
commit
d5156c033b
41
keycloak/README.md
Normal file
41
keycloak/README.md
Normal file
|
@ -0,0 +1,41 @@
|
|||
I recently broke this by deleting the database and restarting it.
|
||||
|
||||
This was actually an accident.
|
||||
|
||||
Anyway, I had a backup but went ahead and rolled forward to test the
|
||||
terraform-a-new-keycloak idea... and it worked, I think!
|
||||
|
||||
So I had a blank keycloak sitting in kubernetes based on the manifests here.
|
||||
|
||||
I then moved the tfstate away and reterraformed the oidc clients and ldap
|
||||
configs back into existence.
|
||||
|
||||
HOWEVER: the oidc secrets will be different. To unscrew this up, the secrets
|
||||
must be restored. This is most easily done by restoring the random password
|
||||
from the previous state.
|
||||
|
||||
First, we'll delete the existing new secrets. Then we'll restore the others.
|
||||
|
||||
```bash
|
||||
jq -c '.resources[]' terraform.tfstate.1681525339.backup | \
|
||||
jq -r '
|
||||
select(.type == "random_password")
|
||||
| @sh "terraform state rm \(.module).\(.type).\(.name)\"[0]\""
|
||||
' | sh -s
|
||||
```
|
||||
|
||||
I screwed my system up on Friday, April 14 at 21:22:19 CDT in the year 2023.
|
||||
|
||||
Now we'll restore the good secrets.
|
||||
|
||||
```bash
|
||||
jq -c '.resources[]' terraform.tfstate.1681525339.backup | \
|
||||
jq -r '
|
||||
select(.type == "random_password")
|
||||
| @sh "terraform import \(.module).\(.type).\(.name)\"[0]\" \(.instances[0].attributes.result)"
|
||||
' | sh -s
|
||||
```
|
||||
|
||||
At least, I think this worked... I also had to set the epoch to 1 for all of
|
||||
these (by modifying the state file by hand).
|
||||
|
34
keycloak/admin-user.yaml
Normal file
34
keycloak/admin-user.yaml
Normal file
|
@ -0,0 +1,34 @@
|
|||
apiVersion: generators.external-secrets.io/v1alpha1
|
||||
kind: Password
|
||||
metadata:
|
||||
name: keycloak-admin
|
||||
namespace: keycloak
|
||||
spec:
|
||||
length: 63
|
||||
digits: 5
|
||||
symbols: 5
|
||||
symbolCharacters: ",:-_"
|
||||
noUpper: false
|
||||
allowRepeat: true
|
||||
---
|
||||
apiVersion: external-secrets.io/v1beta1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: "keycloak-admin"
|
||||
namespace: keycloak
|
||||
spec:
|
||||
refreshInterval: "168h"
|
||||
target:
|
||||
name: keycloak-admin
|
||||
template:
|
||||
type: Opaque
|
||||
data:
|
||||
username: "admin"
|
||||
password: "{{ .password }}"
|
||||
dataFrom:
|
||||
- sourceRef:
|
||||
generatorRef:
|
||||
apiVersion: generators.external-secrets.io/v1alpha1
|
||||
kind: Password
|
||||
name: "keycloak-admin"
|
||||
|
3
keycloak/copy-admin-password.sh
Normal file
3
keycloak/copy-admin-password.sh
Normal file
|
@ -0,0 +1,3 @@
|
|||
#!/bin/bash
|
||||
|
||||
kubectl get secret -n keycloak keycloak-admin -o json | jq -r '@base64d "\(.data.password)"' | pbcopy
|
30
keycloak/db.yaml
Normal file
30
keycloak/db.yaml
Normal file
|
@ -0,0 +1,30 @@
|
|||
apiVersion: postgres-operator.crunchydata.com/v1beta1
|
||||
kind: PostgresCluster
|
||||
metadata:
|
||||
name: keycloakdb
|
||||
namespace: keycloak
|
||||
spec:
|
||||
image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.6-2
|
||||
postgresVersion: 14
|
||||
instances:
|
||||
- replicas: 1
|
||||
dataVolumeClaimSpec:
|
||||
accessModes:
|
||||
- "ReadWriteOnce"
|
||||
resources:
|
||||
requests:
|
||||
storage: 1Gi
|
||||
storageClassName: ssd
|
||||
backups:
|
||||
pgbackrest:
|
||||
image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.41-2
|
||||
repos:
|
||||
- name: repo1
|
||||
volume:
|
||||
volumeClaimSpec:
|
||||
accessModes:
|
||||
- "ReadWriteMany"
|
||||
resources:
|
||||
requests:
|
||||
storage: 5Gi
|
||||
storageClassName: nfs
|
168
keycloak/keycloak-sts.yaml
Normal file
168
keycloak/keycloak-sts.yaml
Normal file
|
@ -0,0 +1,168 @@
|
|||
apiVersion: apps/v1
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
labels:
|
||||
app: keycloak
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
name: cascade
|
||||
namespace: keycloak
|
||||
spec:
|
||||
podManagementPolicy: OrderedReady
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: keycloak
|
||||
serviceName: "keycloak"
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: keycloak
|
||||
spec:
|
||||
initContainers:
|
||||
- name: create-ca-jks
|
||||
command: ["pembundle2jks", "-o", "/ca-transfer/ca-bundle.jks", "/etc/ssl/certs/ca-bundle.crt"]
|
||||
image: jamesandariese/pembundle2jks
|
||||
volumeMounts:
|
||||
- mountPath: /etc/ssl/certs/ca-bundle.crt
|
||||
name: ca-bundle
|
||||
subPath: ca-bundle.crt
|
||||
- mountPath: /ca-transfer
|
||||
name: ca-transfer
|
||||
- name: delete-admin
|
||||
image: jamesandariese/keycloak-delete-admin
|
||||
env:
|
||||
- name: KC_DB
|
||||
value: postgres
|
||||
- name: KC_DB_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: user
|
||||
name: keycloakdb-pguser-keycloakdb
|
||||
- name: KC_DB_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: password
|
||||
name: keycloakdb-pguser-keycloakdb
|
||||
- name: KC_DB_URL_DATABASE
|
||||
value: keycloakdb
|
||||
- name: KC_DB_URL_HOST
|
||||
value: keycloakdb-primary.keycloak.svc
|
||||
containers:
|
||||
- args:
|
||||
- start
|
||||
env:
|
||||
- name: KC_PROXY
|
||||
value: none
|
||||
- name: KC_HEALTH_ENABLED
|
||||
value: "true"
|
||||
- name: KEYCLOAK_ADMIN
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: username
|
||||
name: keycloak-admin
|
||||
- name: KEYCLOAK_ADMIN_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: password
|
||||
name: keycloak-admin
|
||||
- name: KC_HOSTNAME
|
||||
value: auth.werts.us
|
||||
- name: KC_HTTP_PORT
|
||||
value: "8080"
|
||||
- name: KC_HTTPS_PORT
|
||||
value: "8443"
|
||||
- name: KC_HTTPS_CERTIFICATE_FILE
|
||||
value: /mnt/certificates/tls.crt
|
||||
- name: KC_HTTPS_CERTIFICATE_KEY_FILE
|
||||
value: /mnt/certificates/tls.key
|
||||
- name: KC_HTTPS_TRUST_STORE_FILE
|
||||
value: /ca-transfer/ca-bundle.jks
|
||||
- name: KC_HTTPS_TRUST_STORE_PASSWORD
|
||||
value: changeit
|
||||
- name: KC_DB
|
||||
value: postgres
|
||||
- name: KC_DB_USERNAME
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: user
|
||||
name: keycloakdb-pguser-keycloakdb
|
||||
- name: KC_DB_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
key: password
|
||||
name: keycloakdb-pguser-keycloakdb
|
||||
- name: KC_DB_URL_DATABASE
|
||||
value: keycloakdb
|
||||
- name: KC_DB_URL_HOST
|
||||
value: keycloakdb-primary.keycloak.svc
|
||||
image: quay.io/keycloak/keycloak:21.0.0
|
||||
imagePullPolicy: Always
|
||||
livenessProbe:
|
||||
failureThreshold: 150
|
||||
httpGet:
|
||||
path: /health/live
|
||||
port: 8443
|
||||
scheme: HTTPS
|
||||
initialDelaySeconds: 20
|
||||
periodSeconds: 2
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
name: keycloak
|
||||
ports:
|
||||
- containerPort: 8443
|
||||
protocol: TCP
|
||||
- containerPort: 8080
|
||||
protocol: TCP
|
||||
readinessProbe:
|
||||
failureThreshold: 250
|
||||
httpGet:
|
||||
path: /health/ready
|
||||
port: 8443
|
||||
scheme: HTTPS
|
||||
initialDelaySeconds: 20
|
||||
periodSeconds: 2
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
resources: {}
|
||||
terminationMessagePath: /dev/termination-log
|
||||
terminationMessagePolicy: File
|
||||
volumeMounts:
|
||||
- mountPath: /mnt/certificates
|
||||
name: keycloak-tls-certificates
|
||||
- mountPath: /etc/ssl/certs/ca-bundle.crt
|
||||
name: ca-bundle
|
||||
subPath: ca-bundle.crt
|
||||
- mountPath: /etc/pki/ca-trust/extracted/java/cacerts
|
||||
name: ca-transfer
|
||||
subPath: ca-bundle.jks
|
||||
- mountPath: /ca-transfer
|
||||
name: ca-transfer
|
||||
- mountPath: /opt/keycloak/themes
|
||||
name: themes
|
||||
dnsPolicy: ClusterFirst
|
||||
restartPolicy: Always
|
||||
schedulerName: default-scheduler
|
||||
securityContext: {}
|
||||
terminationGracePeriodSeconds: 30
|
||||
volumes:
|
||||
- name: keycloak-tls-certificates
|
||||
secret:
|
||||
defaultMode: 420
|
||||
optional: false
|
||||
secretName: keycloak-tls
|
||||
- name: ca-bundle
|
||||
configMap:
|
||||
name: ca-bundle
|
||||
- name: themes
|
||||
nfs:
|
||||
path: /volume1/k8s-volumes/keycloak-themes
|
||||
server: 172.16.18.1
|
||||
- name: ca-transfer
|
||||
emptyDir:
|
||||
medium: Memory
|
||||
sizeLimit: 50Mi
|
||||
updateStrategy:
|
||||
rollingUpdate:
|
||||
partition: 0
|
||||
type: RollingUpdate
|
25
keycloak/keycloak-svc.yaml
Normal file
25
keycloak/keycloak-svc.yaml
Normal file
|
@ -0,0 +1,25 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
app: keycloak
|
||||
name: cascade-service
|
||||
namespace: keycloak
|
||||
annotations:
|
||||
metallb.universe.tf/loadBalancerIPs: 172.16.17.31
|
||||
spec:
|
||||
ipFamilies:
|
||||
- IPv4
|
||||
ipFamilyPolicy: SingleStack
|
||||
ports:
|
||||
- port: 80
|
||||
name: http
|
||||
protocol: TCP
|
||||
targetPort: 8080
|
||||
- port: 443
|
||||
name: https
|
||||
protocol: TCP
|
||||
targetPort: 8443
|
||||
selector:
|
||||
app: keycloak
|
||||
type: LoadBalancer
|
Loading…
Reference in New Issue
Block a user