From d9b53357393fcb212321dbc8c36d605a17cd64f6 Mon Sep 17 00:00:00 2001 From: James Andariese Date: Tue, 19 Dec 2023 16:19:09 -0600 Subject: [PATCH] add keycloak --- gitea/cm.yaml | 81 +++++++++++++++++++ keycloak/ingress.yaml | 30 +++++-- keycloak/keycloak-sts.yaml | 4 + keycloak/oauth2-proxy.yaml | 70 +++++++++++++++++ keycloak/tf/.gitignore | 2 + keycloak/tf/appwrite-cloud.tf | 15 ++++ keycloak/tf/client-budibase.tf | 15 ++++ keycloak/tf/client-concourse.tf | 13 +++ keycloak/tf/client-debugger.tf | 13 +++ keycloak/tf/client-frigate.tf | 16 ++++ keycloak/tf/client-gitea.tf | 13 +++ keycloak/tf/client-grafana.tf | 13 +++ keycloak/tf/client-grist.tf | 15 ++++ keycloak/tf/client-harbor.tf | 16 ++++ keycloak/tf/client-jenkins.tf | 13 +++ keycloak/tf/client-longhorn.tf | 16 ++++ keycloak/tf/client-mastodon.tf | 15 ++++ keycloak/tf/client-matrix.tf | 18 +++++ keycloak/tf/client-minio.tf | 15 ++++ keycloak/tf/client-nodered1.tf | 10 +++ keycloak/tf/client-oauth-proxy.tf | 19 +++++ keycloak/tf/client-peertube.tf | 15 ++++ keycloak/tf/client-pleroma.tf | 15 ++++ keycloak/tf/client-tubearchivist.tf | 16 ++++ keycloak/tf/client-tubesync.tf | 16 ++++ keycloak/tf/client-windmill-k8s.tf | 14 ++++ keycloak/tf/client-windmill.tf | 16 ++++ keycloak/tf/main.tf | 8 ++ keycloak/tf/oidc-client/versions.tf | 12 +++ keycloak/tf/oidc-client/werts.tf | 118 ++++++++++++++++++++++++++++ keycloak/tf/providers.tf | 23 ++++++ keycloak/tf/versions.tf | 16 ++++ keycloak/tf/werts.tf | 25 ++++++ nvidia/README.md | 24 ++++++ 34 files changed, 735 insertions(+), 5 deletions(-) create mode 100644 gitea/cm.yaml create mode 100644 keycloak/oauth2-proxy.yaml create mode 100644 keycloak/tf/.gitignore create mode 100644 keycloak/tf/appwrite-cloud.tf create mode 100644 keycloak/tf/client-budibase.tf create mode 100644 keycloak/tf/client-concourse.tf create mode 100644 keycloak/tf/client-debugger.tf create mode 100644 keycloak/tf/client-frigate.tf create mode 100644 keycloak/tf/client-gitea.tf create mode 100644 keycloak/tf/client-grafana.tf create mode 100644 keycloak/tf/client-grist.tf create mode 100644 keycloak/tf/client-harbor.tf create mode 100644 keycloak/tf/client-jenkins.tf create mode 100644 keycloak/tf/client-longhorn.tf create mode 100644 keycloak/tf/client-mastodon.tf create mode 100644 keycloak/tf/client-matrix.tf create mode 100644 keycloak/tf/client-minio.tf create mode 100644 keycloak/tf/client-nodered1.tf create mode 100644 keycloak/tf/client-oauth-proxy.tf create mode 100644 keycloak/tf/client-peertube.tf create mode 100644 keycloak/tf/client-pleroma.tf create mode 100644 keycloak/tf/client-tubearchivist.tf create mode 100644 keycloak/tf/client-tubesync.tf create mode 100644 keycloak/tf/client-windmill-k8s.tf create mode 100644 keycloak/tf/client-windmill.tf create mode 100644 keycloak/tf/main.tf create mode 100644 keycloak/tf/oidc-client/versions.tf create mode 100644 keycloak/tf/oidc-client/werts.tf create mode 100644 keycloak/tf/providers.tf create mode 100644 keycloak/tf/versions.tf create mode 100644 keycloak/tf/werts.tf create mode 100644 nvidia/README.md diff --git a/gitea/cm.yaml b/gitea/cm.yaml new file mode 100644 index 0000000..9b3ba47 --- /dev/null +++ b/gitea/cm.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: gitea-config + namespace: gitea +data: + GITEA____APP_NAME: "git@CASCADE" + GITEA____RUN_MODE: "prod" + GITEA____RUN_USER: "git" + GITEA____WORK_PATH: "/app/gitea" + + MINIO__server__ROOT_URL: https://git.strudelline.net/ + MINIO__server__DOMAIN: git.strudelline.net + + GITEA__actions__DEFAULT_ACTIONS_URL: "https://github.com" + GITEA__actions__ENABLED: "true" + + GITEA__attachment__PATH: "/data/gitea/attachments" + + GITEA__cron__update_checker__ENABLED: "true" + + GITEA__database__CHARSET: "utf8" + GITEA__database__DB_TYPE: "sqlite3" + GITEA__database__HOST: "localhost:3306" + GITEA__database__LOG_SQL: "false" + GITEA__database__NAME: "gitea" + GITEA__database__PASSWD: "" + GITEA__database__PATH: "/data/gitea/gitea.db" + GITEA__database__SCHEMA: "" + GITEA__database__SSL_MODE: "disable" + GITEA__database__USER: "root" + + GITEA__indexer__ISSUE_INDEXER_PATH: "/data/gitea/indexers/issues.bleve" + + GITEA__lfs__PATH: "/data/git/lfs" + + GITEA__log__LEVEL: "info" + GITEA__log__MODE: "console" + GITEA__log__ROOT_PATH: "/data/gitea/log" + + GITEA__openid__ENABLE_OPENID_SIGNIN: "true" + GITEA__openid__ENABLE_OPENID_SIGNUP: "false" + + GITEA__picture__AVATAR_UPLOAD_PATH: "/data/gitea/avatars" + GITEA__picture__REPOSITORY_AVATAR_UPLOAD_PATH: "/data/gitea/repo-avatars" + + GITEA__repository__ROOT: "/data/git/repositories" + GITEA__repository__local__LOCAL_COPY_PATH: "/data/gitea/tmp/local-repo" + GITEA__repository__pull-request__DEFAULT_MERGE_STYLE: "merge" + GITEA__repository__signing__DEFAULT_TRUST_MODEL: "committer" + GITEA__repository__upload__TEMP_PATH: "/data/gitea/uploads" + + GITEA__security__INSTALL_LOCK: "true" + GITEA__security__PASSWORD_HASH_ALGO: "pbkdf2" + GITEA__security__REVERSE_PROXY_LIMIT: "1" + GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES: "*" + + GITEA__server__APP_DATA_PATH: "/data/gitea" + GITEA__server__DISABLE_SSH: "false" + GITEA__server__DOMAIN: "git.strudelline.net" + GITEA__server__HTTP_PORT: "3000" + GITEA__server__LFS_START_SERVER: "true" + GITEA__server__OFFLINE_MODE: "false" + GITEA__server__ROOT_URL: "https://git.strudelline.net/" + GITEA__server__SSH_DOMAIN: "git-ssh.strudelline.net" + GITEA__server__SSH_LISTEN_PORT: "2222" + GITEA__server__SSH_PORT: "2222" + + GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION: "false" + GITEA__service__DEFAULT_ALLOW_CREATE_ORGANIZATION: "true" + GITEA__service__DEFAULT_ENABLE_TIMETRACKING: "true" + GITEA__service__DEFAULT_KEEP_EMAIL_PRIVATE: "false" + GITEA__service__DISABLE_REGISTRATION: "true" + GITEA__service__ENABLE_CAPTCHA: "false" + GITEA__service__ENABLE_NOTIFY_MAIL: "false" + GITEA__service__NO_REPLY_ADDRESS: "noreply.localhost" + GITEA__service__REGISTER_EMAIL_CONFIRM: "false" + GITEA__service__REQUIRE_SIGNIN_VIEW: "false" + + GITEA__session__PROVIDER: "file" + GITEA__session__PROVIDER_CONFIG: "/data/gitea/sessions" diff --git a/keycloak/ingress.yaml b/keycloak/ingress.yaml index 4e7410a..4fcdde2 100644 --- a/keycloak/ingress.yaml +++ b/keycloak/ingress.yaml @@ -4,11 +4,35 @@ metadata: name: keycloak-cascade namespace: keycloak spec: - ingressClassName: istio + ingressClassName: haproxy rules: - host: auth.werts.us http: paths: + - path: /oauth2 + pathType: Prefix + backend: + service: + name: oauth2-proxy + port: + name: http + - path: / + pathType: Prefix + backend: + service: + name: cascade-service + port: + number: 80 + - host: auth.strudelline.net + http: + paths: + - path: /oauth2 + pathType: Prefix + backend: + service: + name: oauth2-proxy + port: + name: http - path: / pathType: Prefix backend: @@ -16,7 +40,3 @@ spec: name: cascade-service port: number: 80 - tls: - - hosts: - - auth.werts.us - secretName: wildcard-tls diff --git a/keycloak/keycloak-sts.yaml b/keycloak/keycloak-sts.yaml index b6adcc4..c245aa8 100644 --- a/keycloak/keycloak-sts.yaml +++ b/keycloak/keycloak-sts.yaml @@ -141,6 +141,10 @@ spec: - mountPath: /opt/keycloak/themes name: themes dnsPolicy: ClusterFirst + hostAliases: + - hostnames: + - cascade.strudelline.net + ip: 172.16.34.1 restartPolicy: Always schedulerName: default-scheduler securityContext: {} diff --git a/keycloak/oauth2-proxy.yaml b/keycloak/oauth2-proxy.yaml new file mode 100644 index 0000000..ed762d0 --- /dev/null +++ b/keycloak/oauth2-proxy.yaml @@ -0,0 +1,70 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: oauth2-proxy + name: oauth2-proxy + namespace: keycloak +spec: + replicas: 3 + selector: + matchLabels: + app: oauth2-proxy + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + app: oauth2-proxy + spec: + containers: + - args: + - --http-address=0.0.0.0:4180 + - --config=/config.cfg + image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /ping + port: http + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: oauth2-proxy + ports: + - containerPort: 4180 + name: http + protocol: TCP + volumeMounts: + - mountPath: /config.cfg + name: oauth2-proxy-config + subPath: oauth2-proxy.cfg + terminationGracePeriodSeconds: 2 + volumes: + - name: oauth2-proxy-config + secret: + defaultMode: 420 + optional: false + secretName: oauth2-proxy-oidc-secret +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: oauth2-proxy + name: oauth2-proxy + namespace: keycloak +spec: + ports: + - name: http + port: 4180 + protocol: TCP + targetPort: 4180 + selector: + app: oauth2-proxy diff --git a/keycloak/tf/.gitignore b/keycloak/tf/.gitignore new file mode 100644 index 0000000..b49eecc --- /dev/null +++ b/keycloak/tf/.gitignore @@ -0,0 +1,2 @@ +*.backup +*.tfstate diff --git a/keycloak/tf/appwrite-cloud.tf b/keycloak/tf/appwrite-cloud.tf new file mode 100644 index 0000000..2d89d6a --- /dev/null +++ b/keycloak/tf/appwrite-cloud.tf @@ -0,0 +1,15 @@ +module "werts_appwrite_cloud_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "appwrite_cloud" + keepers = { epoch = 1 } + redirect_uris = ["https://cloud.appwrite.io/v1/account/sessions/oauth2/callback/oidc/6514da21c115f4a89bcd"] + + vault_secret_name = "k8s-ns/appwrite_cloud/werts-oidc" +} + +output "appwrite_cloud_client_id" { + value = module.werts_appwrite_cloud_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-budibase.tf b/keycloak/tf/client-budibase.tf new file mode 100644 index 0000000..f6a17ae --- /dev/null +++ b/keycloak/tf/client-budibase.tf @@ -0,0 +1,15 @@ +module "werts_budibase_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "budibase" + keepers = { epoch = 1 } + redirect_uris = ["https://bb.strudelline.net/api/global/auth/oidc/callback"] + + vault_secret_name = "k8s-ns/budibase/werts-oidc" +} + +output "budibase_client_id" { + value = module.werts_budibase_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-concourse.tf b/keycloak/tf/client-concourse.tf new file mode 100644 index 0000000..8d7ad70 --- /dev/null +++ b/keycloak/tf/client-concourse.tf @@ -0,0 +1,13 @@ +module "werts_concourse_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "concourse" + keepers = { epoch = 1 } + redirect_uris = ["https://cc.strudelline.net/*"] +} + +output "concourse_client_id" { + value = module.werts_concourse_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-debugger.tf b/keycloak/tf/client-debugger.tf new file mode 100644 index 0000000..7988a03 --- /dev/null +++ b/keycloak/tf/client-debugger.tf @@ -0,0 +1,13 @@ +module "werts_debugger_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "debugger" + keepers = { epoch = 1 } + redirect_uris = ["https://debug.werts.us/*"] +} + +output "debugger_client_id" { + value = module.werts_debugger_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-frigate.tf b/keycloak/tf/client-frigate.tf new file mode 100644 index 0000000..4c8ae87 --- /dev/null +++ b/keycloak/tf/client-frigate.tf @@ -0,0 +1,16 @@ +module "client_frigate" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "frigate" + keepers = { epoch = 1 } + redirect_uris = ["https://frigate.strudelline.net/oauth2/callback"] + + kubernetes_secret_name = "oidc-client" + kubernetes_secret_namespace = "frigate" +} + +output "frigate_client_id" { + value = module.client_frigate + sensitive = true +} diff --git a/keycloak/tf/client-gitea.tf b/keycloak/tf/client-gitea.tf new file mode 100644 index 0000000..b39f35d --- /dev/null +++ b/keycloak/tf/client-gitea.tf @@ -0,0 +1,13 @@ +module "client_gitea" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "gitea" + keepers = { epoch = 1 } + redirect_uris = ["https://git.strudelline.net/user/oauth2/werts/callback"] +} + +output "gitea_client_id" { + value = module.client_gitea + sensitive = true +} diff --git a/keycloak/tf/client-grafana.tf b/keycloak/tf/client-grafana.tf new file mode 100644 index 0000000..1128c17 --- /dev/null +++ b/keycloak/tf/client-grafana.tf @@ -0,0 +1,13 @@ +module "client_grafana" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "grafana" + keepers = { epoch = 1 } + redirect_uris = ["https://grafana.strudelline.net/login/generic_oauth"] +} + +output "grafana_client_id" { + value = module.client_grafana + sensitive = true +} diff --git a/keycloak/tf/client-grist.tf b/keycloak/tf/client-grist.tf new file mode 100644 index 0000000..ea0724e --- /dev/null +++ b/keycloak/tf/client-grist.tf @@ -0,0 +1,15 @@ +module "werts_grist_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "grist" + keepers = { epoch = 1 } + redirect_uris = ["https://grist.strudelline.net/oauth2/callback"] + + vault_secret_name = "k8s-ns/grist/werts-oidc" +} + +output "grist_client_id" { + value = module.werts_grist_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-harbor.tf b/keycloak/tf/client-harbor.tf new file mode 100644 index 0000000..f07f5ef --- /dev/null +++ b/keycloak/tf/client-harbor.tf @@ -0,0 +1,16 @@ +module "werts_harbor_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "harbor" + keepers = { epoch = 1 } + # vvvvvvvvvvvvvvv REMEMBER TO CHANGE THE REDIRECT vvvvvvvvvvvvvvv + redirect_uris = ["https://harbor.strudelline.net/*"] + + kubernetes_secret_name = "oidc-client" +} + +output "harbor_client_id" { + value = module.werts_harbor_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-jenkins.tf b/keycloak/tf/client-jenkins.tf new file mode 100644 index 0000000..8eca123 --- /dev/null +++ b/keycloak/tf/client-jenkins.tf @@ -0,0 +1,13 @@ +module "client_jenkins" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "jenkins" + keepers = { epoch = 1 } + redirect_uris = ["https://jenkins.strudelline.net/securityRealm/finishLogin"] +} + +output "jenkins_client_id" { + value = module.client_jenkins + sensitive = true +} diff --git a/keycloak/tf/client-longhorn.tf b/keycloak/tf/client-longhorn.tf new file mode 100644 index 0000000..6b683b3 --- /dev/null +++ b/keycloak/tf/client-longhorn.tf @@ -0,0 +1,16 @@ +module "client_longhorn" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "longhorn" + keepers = { epoch = 1 } + redirect_uris = ["https://longhorn.strudelline.net/oauth2/callback"] + + kubernetes_secret_name = "oidc-client" + kubernetes_secret_namespace = "longhorn-system" +} + +output "longhorn" { + value = module.client_longhorn + sensitive = true +} diff --git a/keycloak/tf/client-mastodon.tf b/keycloak/tf/client-mastodon.tf new file mode 100644 index 0000000..208108f --- /dev/null +++ b/keycloak/tf/client-mastodon.tf @@ -0,0 +1,15 @@ +module "werts_mastodon_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "mastodon" + keepers = { epoch = 1 } + redirect_uris = ["https://mastodon.werts.us/auth/auth/openid_connect/callback"] + + vault_secret_name = "k8s-ns/mastodon/werts-oidc" +} + +output "mastodon_client_id" { + value = module.werts_mastodon_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-matrix.tf b/keycloak/tf/client-matrix.tf new file mode 100644 index 0000000..35fc870 --- /dev/null +++ b/keycloak/tf/client-matrix.tf @@ -0,0 +1,18 @@ +module "werts_matrix_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "matrix" + keepers = { epoch = 1 } + redirect_uris = ["https://chat.werts.us/_synapse/client/oidc/callback"] + + vault_secret_name = "k8s-ns/synapse/werts-oidc" + + backchannel_logout_url = "https://chat.werts.us/_synapse/client/oidc/backchannel_logout" + backchannel_logout_session_required = true +} + +output "matrix_client_id" { + value = module.werts_matrix_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-minio.tf b/keycloak/tf/client-minio.tf new file mode 100644 index 0000000..aa6f220 --- /dev/null +++ b/keycloak/tf/client-minio.tf @@ -0,0 +1,15 @@ +module "werts_minio_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "minio" + keepers = { epoch = 1 } + redirect_uris = ["https://minio-admin.strudelline.net/oauth_callback"] + + vault_secret_name = "noctowl-docker-services/minio/werts-oidc" +} + +output "minio_client_id" { + value = module.werts_minio_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-nodered1.tf b/keycloak/tf/client-nodered1.tf new file mode 100644 index 0000000..2f84ecf --- /dev/null +++ b/keycloak/tf/client-nodered1.tf @@ -0,0 +1,10 @@ +module "werts_nodered1_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "node-red-1" + keepers = { epoch = 1 } + redirect_uris = ["https://red-1.werts.us/oauth2/callback"] + + vault_secret_name = "k8s-ns/node-red/node-red-1-werts-oidc" +} diff --git a/keycloak/tf/client-oauth-proxy.tf b/keycloak/tf/client-oauth-proxy.tf new file mode 100644 index 0000000..6a147cc --- /dev/null +++ b/keycloak/tf/client-oauth-proxy.tf @@ -0,0 +1,19 @@ +module "werts_oauth_proxy_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "oauthproxy" + keepers = { epoch = 1 } + redirect_uris = [ + "https://auth.werts.us/oauth2/callback", + "https://auth.strudelline.net/oauth2/callback", + ] + + kubernetes_secret_name = "oidc-client" + kubernetes_secret_namespace = "keycloak" +} + +output "oauth_proxy_client_id" { + value = module.werts_oauth_proxy_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-peertube.tf b/keycloak/tf/client-peertube.tf new file mode 100644 index 0000000..0bc8c9e --- /dev/null +++ b/keycloak/tf/client-peertube.tf @@ -0,0 +1,15 @@ +module "werts_peertube_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "peertube" + keepers = { epoch = 1 } + redirect_uris = ["https://tube.werts.us/plugins/auth-openid-connect/router/code-cb"] + + vault_secret_name = "k8s-ns/peertube/werts-oidc" +} + +output "peertube_client_id" { + value = module.werts_peertube_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-pleroma.tf b/keycloak/tf/client-pleroma.tf new file mode 100644 index 0000000..c164cc6 --- /dev/null +++ b/keycloak/tf/client-pleroma.tf @@ -0,0 +1,15 @@ +module "werts_pleroma_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "pleroma" + keepers = { epoch = 1 } + redirect_uris = ["http://toots.werts.us/oauth/keycloak/callback"] + + #vault_secret_name = "k8s-ns/pleroma/werts-oidc" +} + +output "pleroma_client_id" { + value = module.werts_pleroma_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-tubearchivist.tf b/keycloak/tf/client-tubearchivist.tf new file mode 100644 index 0000000..2aae739 --- /dev/null +++ b/keycloak/tf/client-tubearchivist.tf @@ -0,0 +1,16 @@ +module "client_tubearchivist" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "tubearchivist" + keepers = { epoch = 1 } + redirect_uris = ["https://tubearchivist.strudelline.net/oauth2/callback"] + + kubernetes_secret_name = "oidc-client" + kubernetes_secret_namespace = "tubearchivist" +} + +output "tubearchivist" { + value = module.client_tubearchivist + sensitive = true +} diff --git a/keycloak/tf/client-tubesync.tf b/keycloak/tf/client-tubesync.tf new file mode 100644 index 0000000..5cb2777 --- /dev/null +++ b/keycloak/tf/client-tubesync.tf @@ -0,0 +1,16 @@ +module "client_tubesync" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "tubesync" + keepers = { epoch = 1 } + redirect_uris = ["https://tubesync.strudelline.net/oauth2/callback"] + + kubernetes_secret_name = "oidc-client" + kubernetes_secret_namespace = "tubesync" +} + +output "tubesync" { + value = module.client_tubesync + sensitive = true +} diff --git a/keycloak/tf/client-windmill-k8s.tf b/keycloak/tf/client-windmill-k8s.tf new file mode 100644 index 0000000..27e3bc3 --- /dev/null +++ b/keycloak/tf/client-windmill-k8s.tf @@ -0,0 +1,14 @@ +module "k8s_windmill_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "k8s-windmill" + keepers = { epoch = 1 } + # vvvvvvvvvvvvvvv REMEMBER TO CHANGE THE REDIRECT vvvvvvvvvvvvvvv + redirect_uris = ["https://windmill.strudelline.net/user/login_callback/keycloak"] +} + +output "k8s_windmill_client_id" { + value = module.k8s_windmill_oidc_client + sensitive = true +} diff --git a/keycloak/tf/client-windmill.tf b/keycloak/tf/client-windmill.tf new file mode 100644 index 0000000..c739eb8 --- /dev/null +++ b/keycloak/tf/client-windmill.tf @@ -0,0 +1,16 @@ +module "werts_windmill_oidc_client" { + source = "./oidc-client" + + realm_id = keycloak_realm.werts.id + client_id = "windmill" + keepers = { epoch = 1 } + # vvvvvvvvvvvvvvv REMEMBER TO CHANGE THE REDIRECT vvvvvvvvvvvvvvv + redirect_uris = ["https://windmill.strudelline.net/user/login_callback/keycloak_werts"] + + vault_secret_name = "k8s-ns/windmill/werts-oidc" +} + +output "windmill_client_id" { + value = module.werts_windmill_oidc_client + sensitive = true +} diff --git a/keycloak/tf/main.tf b/keycloak/tf/main.tf new file mode 100644 index 0000000..3010272 --- /dev/null +++ b/keycloak/tf/main.tf @@ -0,0 +1,8 @@ +#resource "keycloak_realm" "master" { +# realm = "master" +# enabled = true +# +# default_signature_algorithm = "RS256" +# display_name = "Keycloak" +# display_name_html = "
Keycloak
" +#} diff --git a/keycloak/tf/oidc-client/versions.tf b/keycloak/tf/oidc-client/versions.tf new file mode 100644 index 0000000..6d5151f --- /dev/null +++ b/keycloak/tf/oidc-client/versions.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + keycloak = { + source = "mrparkers/keycloak" + version = "~> 4.2" + } + #vault = { + # source = "hashicorp/vault" + # version = "~> 3.14" + #} + } +} diff --git a/keycloak/tf/oidc-client/werts.tf b/keycloak/tf/oidc-client/werts.tf new file mode 100644 index 0000000..99d2320 --- /dev/null +++ b/keycloak/tf/oidc-client/werts.tf @@ -0,0 +1,118 @@ +variable "realm_id" { } +variable "client_id" { } +variable "client_name" { default = "" } +variable "client_secret" { + type = string + default = "" + description = "sets client_secret if set. a random 128 digit secret will be generated if this is not set or set to an empty string. this secret is very long because of the lack of specials." +} +variable "keepers" { + type = map + default = {} + description = "keepers used to determine when to rotate a random client_secret. only used if client_secret is unset." +} +variable "redirect_uris" { + type = list(string) + default = [] +} +variable "vault_kv_path" { + default = "kvv2" +} +variable "vault_secret_name" { + description = "secret object name (path-like thing in kvv2, not secret object key either -- those are client_id and client_secret)" + type = string + default = "" +} +variable "backchannel_logout_url" { default = "" } +variable "backchannel_logout_session_required" { default = false } +variable "secret_metadata" { + type = map + default = {} +} + +resource "random_password" "client_secret" { + keepers = var.keepers + count = var.client_secret == "" ? 1 : 0 + + special = false + length = 86 # 62**86 > 2**512 (but 62**85 is not) +} + +variable "kubernetes_secret_name" { + default = "" +} + +variable "kubernetes_secret_namespace" { + default = "" +} + +variable "kubernetes_secret_client_id_key" { + default = "client_id" +} + +variable "kubernetes_secret_client_secret_key" { + default = "client_secret" +} + +locals { + client_name = var.client_name == "" ? var.client_id : var.client_name + client_secret = var.client_secret == "" ? random_password.client_secret.0.result : var.client_secret + kubernetes_secret_namespace = var.kubernetes_secret_namespace == "" ? local.client_name : var.kubernetes_secret_namespace +} + +resource "keycloak_openid_client" "openid_client" { + realm_id = var.realm_id + client_id = var.client_id + client_secret = local.client_secret + + name = local.client_name + enabled = true + + standard_flow_enabled = true + access_type = "CONFIDENTIAL" + valid_redirect_uris = var.redirect_uris + + backchannel_logout_url = var.backchannel_logout_url + backchannel_logout_session_required = var.backchannel_logout_session_required + + login_theme = "keycloak" +} + +#resource "vault_kv_secret_v2" "oidc_client" { +# count = var.vault_secret_name == "" ? 0 : 1 +# mount = var.vault_kv_path +# name = var.vault_secret_name +# data_json = jsonencode( +# { +# client_id = keycloak_openid_client.openid_client.client_id +# client_secret = keycloak_openid_client.openid_client.client_secret +# } +# ) +# custom_metadata { +# data = var.secret_metadata +# } +#} + +resource "kubernetes_secret" "oidc_client" { + count = var.kubernetes_secret_name == "" ? 0 : 1 + + metadata { + name = var.kubernetes_secret_name + namespace = local.kubernetes_secret_namespace + } + + data = { + "${var.kubernetes_secret_client_id_key}" = keycloak_openid_client.openid_client.client_id + "${var.kubernetes_secret_client_secret_key}" = keycloak_openid_client.openid_client.client_secret + } +} + + +output "client_id" { + value = resource.keycloak_openid_client.openid_client.client_id + sensitive = true +} +output "client_secret" { + value = resource.keycloak_openid_client.openid_client.client_secret + sensitive = true +} diff --git a/keycloak/tf/providers.tf b/keycloak/tf/providers.tf new file mode 100644 index 0000000..559262f --- /dev/null +++ b/keycloak/tf/providers.tf @@ -0,0 +1,23 @@ +provider "keycloak" { + client_id = "admin-cli" + url = "https://auth.werts.us" + username = data.kubernetes_secret_v1.keycloak_admin.data.username + password = data.kubernetes_secret_v1.keycloak_admin.data.password + initial_login = false +} + +data "kubernetes_secret_v1" "keycloak_admin" { + metadata { + name = "keycloak-admin" + namespace = "keycloak" + } +} + +provider "kubernetes" { + config_path = "~/.kube/config" + config_context = "mew" +} + +#provider "vault" { +# address = "https://vault.strudelline.net" +#} diff --git a/keycloak/tf/versions.tf b/keycloak/tf/versions.tf new file mode 100644 index 0000000..999ff7d --- /dev/null +++ b/keycloak/tf/versions.tf @@ -0,0 +1,16 @@ +terraform { + required_providers { + keycloak = { + source = "mrparkers/keycloak" + version = "4.2.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "2.18.1" + } + #vault = { + # source = "hashicorp/vault" + # version = "3.14.0" + #} + } +} diff --git a/keycloak/tf/werts.tf b/keycloak/tf/werts.tf new file mode 100644 index 0000000..d9c82fc --- /dev/null +++ b/keycloak/tf/werts.tf @@ -0,0 +1,25 @@ +resource "keycloak_realm" "werts" { + realm = "werts" + enabled = true + + default_signature_algorithm = "RS256" + display_name = "werts.us" + display_name_html = "
werts.us
" + ssl_required = "none" + + account_theme = "keycloak" + admin_theme = "keycloak.v2" + email_theme = "keycloak" + login_theme = "keycloak" +} + +module "werts_cascade_federation" { + #source = "github.com/jamesandariese/terraform-keycloak-ad-federation" + source = "/home/james/src/github.com/jamesandariese/terraform-keycloak-ad-federation" + realm_id = keycloak_realm.werts.id + connection_url = "ldaps://cascade.strudelline.net" + bind_dn = "CN=ldapsearch,OU=ldapsearch,DC=cascade,DC=strudelline,DC=net" + bind_credential = "2Nblech%" + federation_name = "cascade" + users_dn = "DC=cascade,DC=strudelline,DC=net" +} diff --git a/nvidia/README.md b/nvidia/README.md new file mode 100644 index 0000000..b224a0b --- /dev/null +++ b/nvidia/README.md @@ -0,0 +1,24 @@ +# Installing NVIDIA stuff on a new k3s node + +curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | sudo gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg \ + && curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \ + sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \ + sudo tee /etc/apt/sources.list.d/nvidia-container-toolkit.list +sudo apt-get update +sudo apt-get install -y nvidia-container-toolkit nvidia-kernel-dkms + +# Installing k3s stuff + +There is a `deploy.sh` in this folder. + +It installs the RuntimeClass needed to target the nvidia runtime +and installs the device plugin with GFD (node finder for GPUs) via +helm. + +# Wrap up + +With these two pieces installed, you should be able to find a GPU-bearing node. + +```bash +kubectl get node -l 'nvidia.com/gpu.count' +```