k/keycloak: initial commit

This commit is contained in:
ryan-distrust.co 2023-05-15 00:06:43 -04:00
parent f5008b3294
commit ad5b94929e
Signed by untrusted user who does not match committer: ryan
GPG Key ID: 8E401478A3FBEF72
9 changed files with 332 additions and 0 deletions

View File

@ -0,0 +1,24 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak
annotations:
cert-manager.io/cluster-issuer: letsencrypt
external-dns.alpha.kubernetes.io/hostname: keycloak.distrust.co
spec:
ingressClassName: nginx
rules:
- host: keycloak.distrust.co
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: keycloak
port:
number: 80
tls:
- hosts:
- keycloak.distrust.co
secretName: website-tls

View File

@ -0,0 +1,78 @@
apiVersion: v1
kind: Secret
metadata:
name: keycloak-config
stringData:
admin: ENC[AES256_GCM,data:MRhVmq8=,iv:IMmqxQsXUcPg7Nwq6b1AXEipB4Ks05lEPrEh4nmTHxQ=,tag:K+dM779PcYEtCl/l3fquZQ==,type:str]
admin_password: ENC[AES256_GCM,data:wzTxmvr83LTWSLCdtoprqHMRuBxKkK0C2dmFCcF9lpI=,iv:frlyzI4trbJRHpgzRWUffOgnMFNfaO/XAlrxKdcLATg=,tag:Lv8zMWDqyppClmstGB2BPw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-05-15T03:10:17Z"
mac: ENC[AES256_GCM,data:UnjytZ+qoP9jsD+6XWo6f7Zrr2NGf4ZXa6bX4rqMoPu5VGbAewbKjeg2LQPLdB5t0V7cC0Zl0sfg58hLWZcG8igclSmfARkDBKeyCp836hkkUsoELule1jwUzlopNRFeh5W5P1sIpDt54QWulm7+stDAbT7tR586mIrzNOUj/M0=,iv:1vcNRq7pfVoRjPOxZvVKql5htdhAvueG1n2Qbx37mIg=,tag:vfuo+GbGz2p7MYib/uvxDQ==,type:str]
pgp:
- created_at: "2023-05-15T03:10:16Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA82rPM2mSf/aARAArGyOdTV+QuqLX0HSdo13zZJfEqzz6arQ9nUVP9vSPF+C
i96V90KmzC1t/C1RFFzinKQ6gnIgC+yDZAs1HnvBpStaItz9oMLrldqDVMaEpK43
u2HIpHsLvo/B2QN/0g63XSI7a1+MsDHZHWWbat+pDehLRWy9BgSd5/cZSiBIe0AG
NhwzeEIoEinecFW3NWUy9PZA0yEn/Gl6gdaNYLBDFdbAox8enwr3M5kmMolWmOgI
jYLyVQhU8tix/dRCXx+vzIrus7rIvoRqlL7ji9nA1wsFto/6OMkxfylIZzATK3JU
wQ55iZriD8WQOn/GTpDcomLuavu9/pNP+o2rszkws714CROPUa/vn963BZmxrNQ3
W0ztTvOpJ+1dlR1ZxgPCBtUnv6jv6MCBC3DTtYtOCN7+CuRvlU5jSQUoiUyF12O6
GLY+GiVWKE+d+EbF9rf3s/E9un4hop6izYjSP2R3lJPJvPX/KyFe0v6V2HfwNBaH
t5NEui8R2/9icmy1nTTzXN2YMQ59buPgSJJ7ZAdm1Vf21kddZFAijOhAGU8pL08Y
cH2lbD2Lx7/avszaG66Y+YkNnKWY1Ql/bv7qoBLWtC+49YiThxi5GiBfLTGGHXEu
GevgmC96YumLZpdmME1y5Zn62MrVHO0zTXxEnTb4txkXHDX2SUB/QvRfuFdxySvS
UQEU5w08lky/SvZ2pj/1EcTaJUv7pYOKs2yxjvD07IUFuWzwJTjqd4uxwWTaqdXl
Y4I9oSUTaoM/Qjr/yf8CpJSg+mjTSbXRBlJAXRlomPuMKQ==
=oFCJ
-----END PGP MESSAGE-----
fp: 6B61ECD76088748C70590D55E90A401336C8AAA9
- created_at: "2023-05-15T03:10:16Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMAw95Vf08z8oUAQ/9G8zOlijaI9Y3lXZLwrGw/PPgCFPSi0bXSDALI+HfB7ig
4F2tHmnUz3BVYzEwkNgs4Kc3CqI1IJ1MrU5jCCqR9+fpAmkPrKr+oRcYrmb5PGK1
81vYQ0H+dTThieNnI6bL4CCFEjwbyJTgPmiYrSO9G0BYyjiFlatqEe5ZI3nVk2w7
Y3r5EZhFcVlTjsVuphXmf6KYzAoFq6EJn+nAJC18kqmdYBsK2iu1123kHR+lOWCK
ASiTkPezk/5KxNKb0rnQQexqpGEqBzxBCEw5kycrGgIxUdy31+749BolB5lstsFC
q6kdeshFBFzaNktH/lRKYrsee/qgGOHyheMC7HJwrLmsCvsESi1v3b6EJmNWApIg
ewxD7aj9oUKQg4m4Apc5Fw2icnwRefIF48TFGefL3syyNniWlnkTkRfYMIaEO6gy
a5IYg4utghkTx8uF+XQjV1njOEMsOekCiKWRhvacJsJ6ziWMXrJ8+R+NriIoJGV1
svekoRuHTaK1NOH8Yb8Ftflqzf/MFRJT+xVWw+8S1cTXMq3nuYw6HgF2HFoA8STU
exD8Wd57BnUyx04IMqtwDwCDgzuwNJj+CU8OfkuGytgN/qOTb8XqVKkI2oIpqCqo
TtVSS/9W2vV5JqXQwSk1WU0Sxo8u7s89GC0uZqfCrD1c430M2UiWTIj16XFIqjDS
UQHon6AwuwAz0HAD9H3uPspXV2h2v9XanAXf+b8wI63X68bPovbr7TkIsHWLFpzq
4Y11aben+nwqQkpN4ei5DNZ5LQsedwJ50Z7wuYkOxMthHg==
=8E34
-----END PGP MESSAGE-----
fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72
- created_at: "2023-05-15T03:10:16Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA0/D4ws+/KPtAQ/+LJiQrH4ODbXOXKXiiZD6qhya3KrfXIRG0Jn2Q17eN7Dw
txhKYfdQn3czsqfHEB082abKZ5P8rm8jSH85H8i6SACqsVic4zK72Uwqsd6c/c7J
dewAsvx4LuKdHh8RqxGOloE6Orvn3CYQT1K7d3asMEHyxYFkQLFFrtbUKVtx+BIw
RHTGmxU+ej3wmWpIEpXXqGbYbLzQA4j5jYe4jjUPW218bxJ+4nF4sNEwnYWEeYlZ
vol7gq2vPaqq8KrnDJhrc0GpbIQgsWnUg4LtExrWPLrhY+H+41tQ3GvpwZMncIJr
4klNbeFjsNXh+1hP48IDwqgpUIWkBpSnhogt830Umciej/xIzvfyJnSxkzqYB60j
ZKUUky2iaSpR1IVNVu1Y3+ym+mQEYEypL9tX2sKkUZHOXKC0Iz2WpwcnEk/4WaI7
KYk+IgNj2iwwCNHeVO2BMDcb91LA7FRt3EnT6XPH1mWawgRF3UM/wbzbYDUTJYKQ
FT7Yu+sJOjEWnv0goCwK6+CR3Yox22QnJ+Xi/rZT/B3LYixyKd0RD+f7zP3P9UGe
+fWsJUpFzftWaKto8eyz+mTYBaFYqwgqfqudjCOmW6DhUBr5VWfzW73xFE16047f
CZTgqAeNo7Npzm0BQTlODDk96j4zYa35Fho+GIscpji/phSQ+c3N7lc5RMxTRszS
UQGJYjTdH7N+dXYixN0DF7o26vC8GhJmOtZsNLexYFgGChPgCc1q+wX9td0zevwh
FD1pL4sxVsKPXfNKSF6UqZdEKglR2ihv6qywEQ5IT8sirw==
=o9zp
-----END PGP MESSAGE-----
fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA
encrypted_regex: ^(data|stringData)$
version: 3.7.3

View File

@ -0,0 +1,18 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: keycloak
resources:
- namespace.yaml
- resources.yaml
- ingress.yaml
generators:
- secret-generator.yaml
configMapGenerator:
- name: keycloak-config
literals:
- KC_HOSTNAME_URL=https://keycloak.distrust.co
patches:
- path: postgres-auth.patch.yaml
target:
kind: Deployment
name: keycloak

View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: Keycloak

View File

@ -0,0 +1,83 @@
apiVersion: v1
kind: Secret
metadata:
name: database-configuration
stringData:
address: ENC[AES256_GCM,data:RS6hEXdX1KCHRiQRZKh8KquHLopYO+7HrEQd7xEzsQ19sFZ4FTGO5JSDv+sQSFajdI0LEOvRrYrhVlWEQ8+VZ9E=,iv:1ImaNPCJ4gRPZnKLyUDAaYC65hznkJTN0XcoHMht7Uc=,tag:7EE/6DFeoftrfEWL87dhvQ==,type:str]
dbname: ENC[AES256_GCM,data:96lDzmgCQ44=,iv:Tgqn2ExHcLA0InFyq0vaIJ7JSki6D5yLeOFnvMtbfkY=,tag:eLKfzhvGL1PX1gjqh1aMoA==,type:str]
host: ENC[AES256_GCM,data:xiesN1NpCAEW2dGHutysgqfvHgQalMeQoe+JBSlLp4/RSdsZLBijzmDt7puqd29sLK0wgcqsxQgVjo4=,iv:HaG3YQ/g9rRoqwtWUT7W/gC+sCnq4f0shoLw2NV1f4s=,tag:sexGZ2EDkIIqN1cHU4OvIw==,type:str]
jdbc_url: ENC[AES256_GCM,data:Qq67i6hnALTr5eUdWQ/ICczNkdvRIC96qP53AQMN10AJoBvQUIDgbMN/XWTRC1SZPucC2b2+5hbsEFntud3ryY4+ucFe+c0O/k4hCC0qYySsf7tqWfiezwYxw16BskCVr3WalEzBB13zih0D,iv:gT/i4R+ZN/kmZfbrphDFZxdBfSQXyQjV231SMGkN4pc=,tag:/KBMJaRbsJmr35ncWcQksw==,type:str]
name: ENC[AES256_GCM,data:8sjmGhI2rfU=,iv:lZVcv5ADwJL/fS7dneji7KhfyFpHJGavcKFO1VB6zuk=,tag:vDIhIgX0/tjElndzUIaVyA==,type:str]
password: ENC[AES256_GCM,data:QZhQHjfakGBEcsxXC6OxAN1pl4z6DIrJ,iv:0mlgs/ihf5YKeEzn9lp6keNzKe4gMT+TTpquTLc7Lq8=,tag:3unmkIvaFQcfdDQZvcPiug==,type:str]
port: ENC[AES256_GCM,data:hR/vQxc=,iv:g9IODLw/3SjVXHR/+XEmYXm8sZbqJsTc13NJ3tE8FKs=,tag:JMvOoQa1dN9l5aEa79OeZA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-05-15T04:04:00Z"
mac: ENC[AES256_GCM,data:a7zP7tV+w4gdWh5Z8TCqs6T9cF4GZGny07gDsry5LdRHCSvMePjDmhTl3oPUT6IdxEQX0oMR7QsWGkuopSIiJ5FcY4Hbzp88ivSHCddaZCbSza9MeiQDU2XXCC1zaBFWFA75VF0Gkd/y4jwDHOpE+a9DERVJwgUuZMf1NaWVCOc=,iv:KDVtlwtnvX7HmA4T4x3sF9cicZzJGKuBHSBEom1tues=,tag:w3jfLi1poBTWFVkETPkt6Q==,type:str]
pgp:
- created_at: "2023-05-15T04:03:54Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA82rPM2mSf/aARAAm2r/Vj8f2eHl2waxwn+GYEPyq8CYlJjCenIP0K/6UPyg
/+rcWcqm1Ip6CxgPm5MrZA/8b2+hep/H7IsSIG1EHyLfuKEROMMUFFh8jt6ZzRJX
W3UzLqRiYsZz98pd7UBgPs4q0vXCuUHIy2pjsXWy5SNIs5lPxfqW7Voh2K/XKGKd
Op8p+GeSsieVKoTnPqldHF6cBuUmxcLy8G5fqf5oG6bYwoW05e21aLBb0N4KCSRY
SJHnd03KOoqEGmdBw8sL8ob2Kj+AfUa2lqF5uKH8GrwP3fbXCXLbiukeyTbGOCkR
DdUp5h5Ik80nhkDJ4Te3Vq52U+p8AWO2sUJvgs4pmDdDW5ZOwRs1MiGs4Q4TIO32
cBq8mGtL57yyTCtSw0FJE3rjFEAdUMmldNOqkkwPsybDpTzfYWjRkFQBestC4cvM
0qtxHNk1EZLYgiw8tlZNhxz/Q7LQFjaOffU3r7IFjJxoWrpUlzrxEX0Ech79XzRl
mnXSvaYyboI/CZGuxqMN+fdxiY4BctT3c+PN7yDE+UNpUFI410637QTCpgKTwls5
5Gy0pBMDDf5WtGNq1ZkYajhqPe0VfOb72HzqWbrq3k5xVj7t9eXQHIgb04MnRQNF
Y9zT5yaK6pUQ4vN1PiCEycKZWMwJbvU7IfDIyCintCcEReCXRyjyG4A4t5PPAtDS
UQEiTfYS2piR7+fwqHAH/rehhmAO3Bi4HUJsY8ynhTD94pZhA+zPgLgMRlcGQNx/
G6a7kA6+8t79HekNHvnvpjDe/JpXSBvTEX/Dpq8e7ry3HA==
=ukHh
-----END PGP MESSAGE-----
fp: 6B61ECD76088748C70590D55E90A401336C8AAA9
- created_at: "2023-05-15T04:03:54Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMAw95Vf08z8oUARAAz+6T9zi2NzeoUAJjCCntvgiBeXvNr8bF+NycE0bxWbmA
DRkEQAC1N6mj2XJSSVrBkXro+L3yKrtvxDIWj09BefushoX+5J+xJAjTb8viSGzV
V6TLVnHI8slPMKxohog23qFXTKj8iHFJTLkqtpDhA6xfOc2l0GfUobD4sz5MLKqv
tMHlb4xhB4BM6VDfsJc2R1H1WxS2sLm9RI+eXZE4DypwAYwy1T+b5AIITuzXY0Vf
c8HHCt/Rk06yg+lQ6KiHjEBT8xZTmrcPARzXBx0TmHLXK9ICmXpsfbsMQYxudyGo
Aqmnxq7V1hKvjg5y/94+H4BBslcA77C1fRzLCMFtDZAN9zdZ2HFAxttr+O+Nf/zK
m5DAO7P+O41DQOgBKh67xoqH2dY1Srim0R4Tt0x5FZHW1mNKDv63MBPBWVMW7CvA
RZJ6KKSlhc92sG/NaJyYC5oLhjAdv9JmC+/yArNLhXzvzOwnDWVSKN+N8I+D67bl
qJQWAQD1PPJjJzY6+MTfjl0Xq5BuwcAEIv9E25NDpPw2Bkb9HmPk8/ufFKc/l4iV
Bsh8mJz2nIM9M8NxZWZ2D7n1NpHvl6nUN6khkXqLcMtyZhcCsNiJLRSW/5Du3zxV
CT3Y/fGG3XmSdyg1pylFPImtvsPMQFQhZGY7LHkUUnScQJD2eRQi2KYvHkET8FHS
UQGZFsF3U5xWYQdiQ2ih0q4muK9z0+HkP+hVr528nXSWdQWM5RgIER1LlR/bEsRa
0eAq9SZcQcvRMJqBpE8edQ1z1YsoX7nmTv/ERE5MQvc5eg==
=tGMv
-----END PGP MESSAGE-----
fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72
- created_at: "2023-05-15T04:03:54Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA0/D4ws+/KPtAQ//V19wzb2oNiTG7tsO2BzpcgFiY4TO5l3Xnc5meQE6kgGh
CCktTlqToK5GrgpHbxogIElwsCyqmsKvHf7Y0smMdQV+dymHrjhm8/BMIsHw6oy0
SGSNLaLgJQxxYwRXMufVCsBEIg8iFJSWGUydNd2KPhQZjQo+hR6ki8ijLUASkdeQ
IUtFz0nxvtnKz3PUCzE0yCArxIP6joWTxwMp8uQB1kj86lfpQWFKX2JlOqurydo7
QDPXHYTMgzRuAHnuDoEeQREbagC97VhdvCcH1PjCwgef2AcU8o/mhddNiEdLpmeX
YPqgY2CBBzbICdL00KhVUu2dcw5+aIG/q0R70+R7eX+783cj3QwjHUcEyGdEDTo/
AUclqSpePP3okpVyQAWNtrYrC3uMx6/bUgSLVeFwpmVmkHyX3mhPnC9fHcE/pnnN
+jSjRawHDP+GnnfHEwppHl1F16+cjJzBbO8KZe7WTWzRzfYCcqv0REQ9SmKhaouE
C+wiBFewtyaKKBr9eEdOUPg07YAqU+9FWPyyPDv5dqdljvLH0N4JaWH2S/83WNbb
y/atJiRcOP5dhHbPZ1PbG5sLkPBmyHiFy3E8AZLcWEwkXlXttFvdKYcULaDh3O/x
vXsDWO1S6ezQ0Z4TZqLfATSzvqzSuSazRVCXsG0b6MK2nvorT5xFsANhhRGYi0bS
UQEmqP6gs7PzX3FLuAnLMTbIts3NdkHjGJIYIGb82AiO4eoSUp0h13vrJchEr2XR
NIszME07Iy+yE8eeX7yMIlbDZRaZ1t4nDQU/UT7xmCHYVQ==
=bXHz
-----END PGP MESSAGE-----
fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA
encrypted_regex: ^(data|stringData)$
version: 3.7.3

View File

@ -0,0 +1,43 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
spec:
template:
spec:
containers:
- name: keycloak
args:
- start
- --db=postgres
env:
- name: KEYCLOAK_ADMIN
valueFrom:
secretKeyRef:
name: keycloak-config
key: admin
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-config
key: admin_password
- name: KC_DB_USERNAME
valueFrom:
secretKeyRef:
name: database-configuration
key: name
- name: KC_DB_PASSWORD
valueFrom:
secretKeyRef:
name: database-configuration
key: password
- name: KC_DB_URL
valueFrom:
secretKeyRef:
name: database-configuration
key: jdbc_url
- name: KC_HOSTNAME_URL
valueFrom:
configMapKeyRef:
name: keycloak-config
key: KC_HOSTNAME_URL

View File

@ -0,0 +1,53 @@
apiVersion: v1
kind: Service
metadata:
name: keycloak
labels:
app: keycloak
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: keycloak
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
labels:
app: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:21.1.1
args: ["start"]
env:
- name: KC_PROXY
value: "edge"
- name: KC_HEALTH_ENABLED
value: "true"
ports:
- name: http
containerPort: 8080
readinessProbe:
httpGet:
path: /health/ready
port: 8080
initialDelaySeconds: 60
livenessProbe:
httpGet:
path: /health/live
port: 8080
initialDelaySeconds: 60

View File

@ -0,0 +1,22 @@
#!/bin/sh
if test -t 1; then
# This is not foolproof. Can easily be beat by doing |cat. This is just to
# make it less likely that secrets are output to terminal.
echo "Error: Not outputting secret to stdout; redirect output to a file or" \
"pipe output to \`sops\`." >/dev/stderr
exit 1
fi
KC_ADMIN=admin
KC_ADMIN_PASSWORD="$(pwgen 32 1)"
cat <<EOF
apiVersion: v1
kind: Secret
metadata:
name: keycloak-config
stringData:
admin: ${KC_ADMIN}
admin_password: ${KC_ADMIN_PASSWORD}
EOF

View File

@ -0,0 +1,7 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: ksops
files:
- ./keycloak-config.enc.yaml
- ./postgres-auth.enc.yaml