feat(auth): add keycloak for auth

2025-10-30 01:22:31 +00:00 · 2024-07-22 19:58:48 +02:00
parent 4d47d1c972
commit 628bdb53d6
22 changed files with 212 additions and 23 deletions
--- a/k8s/apps/media/arr/lidarr/http-route.yaml
+++ b/k8s/apps/media/arr/lidarr/http-route.yaml
@@ -1,7 +1,7 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
-  name: lidarr-http-route
+  name: lidarr
  namespace: arr
 spec:
  parentRefs:
--- a/k8s/apps/media/arr/prowlarr/http-route.yaml
+++ b/k8s/apps/media/arr/prowlarr/http-route.yaml
@@ -1,7 +1,7 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
-  name: prowlarr-http-route
+  name: prowlarr
  namespace: arr
 spec:
  parentRefs:
--- a/k8s/apps/media/arr/radarr/http-route.yaml
+++ b/k8s/apps/media/arr/radarr/http-route.yaml
@@ -1,7 +1,7 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
-  name: radarr-http-route
+  name: radarr
  namespace: arr
 spec:
  parentRefs:
--- a/k8s/apps/media/arr/sonarr/http-route.yaml
+++ b/k8s/apps/media/arr/sonarr/http-route.yaml
@@ -1,7 +1,7 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
-  name: sonarr-http-route
+  name: sonarr
  namespace: arr
 spec:
  parentRefs:
--- a/k8s/apps/media/arr/torrent/http-route.yaml
+++ b/k8s/apps/media/arr/torrent/http-route.yaml
@@ -1,7 +1,7 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
-  name: torrent-http-route
+  name: torrent
  namespace: arr
 spec:
  parentRefs:
--- a/k8s/apps/media/jellyfin/ingress.yaml
+++ b/k8s/apps/media/jellyfin/ingress.yaml
@@ -7,11 +7,17 @@ metadata:
    cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
 spec:
  ingressClassName: cilium
-  defaultBackend:
-    service:
-      name: jellyfin
-      port:
-        name: web
+  rules:
+    - host: plex.stonegarden.dev
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: jellyfin
+                port:
+                  name: web
  tls:
    - secretName: jellyfin-ingress-tls
      hosts:
--- a/k8s/apps/media/plex/ingress.yaml
+++ b/k8s/apps/media/plex/ingress.yaml
@@ -7,11 +7,17 @@ metadata:
    cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
 spec:
  ingressClassName: cilium
-  defaultBackend:
-    service:
-      name: plex
-      port:
-        name: web
+  rules:
+    - host: plex.stonegarden.dev
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: jellyfin
+                port:
+                  name: web
  tls:
    - secretName: plex-ingress-tls
      hosts:
--- a/k8s/infra/auth/application-set.yaml
+++ b/k8s/infra/auth/application-set.yaml
@@ -0,0 +1,34 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: auth
+  namespace: argocd
+  labels:
+    dev.stonegarden: auth
+spec:
+  generators:
+    - git:
+        repoURL: https://github.com/vehagn/homelab
+        revision: HEAD
+        directories:
+          - path: k8s/infra/auth/*
+  template:
+    metadata:
+      name: '{{ path.basename }}'
+      labels:
+        dev.stonegarden: controllers
+    spec:
+      project: auth
+      source:
+        plugin:
+          name: kustomize-build-with-helm
+        repoURL: https://github.com/vehagn/homelab
+        targetRevision: HEAD
+        path: '{{ path }}'
+      destination:
+        name: in-cluster
+        namespace: argocd
+      syncPolicy:
+        automated:
+          selfHeal: true
+          prune: true
--- a/k8s/infra/auth/keycloak/http-route.yaml
+++ b/k8s/infra/auth/keycloak/http-route.yaml
@@ -0,0 +1,19 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: keycloak
+  namespace: keycloak
+spec:
+  parentRefs:
+    - name: stonegarden
+      namespace: gateway
+  hostnames:
+    - "keycloak.stonegarden.dev"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: keycloak
+          port: 80
--- a/k8s/infra/auth/keycloak/kustomization.yaml
+++ b/k8s/infra/auth/keycloak/kustomization.yaml
@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ns.yaml
+  - pvc.yaml
+  - secret-keycloak-admin.yaml
+  - secret-keycloak-db-credentials.yaml
+  - http-route.yaml
+
+helmCharts:
+  - name: keycloak
+    repo: oci://registry-1.docker.io/bitnamicharts
+    version: 21.5.0
+    releaseName: keycloak
+    namespace: keycloak
+    valuesFile: values.yaml
--- a/k8s/infra/auth/keycloak/ns.yaml
+++ b/k8s/infra/auth/keycloak/ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak
--- a/k8s/infra/auth/keycloak/pvc.yaml
+++ b/k8s/infra/auth/keycloak/pvc.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: keycloak-db
+  namespace: keycloak
+spec:
+  storageClassName: proxmox-csi
+  volumeName: pv-keycloak-db
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2G
--- a/k8s/infra/auth/keycloak/secret-keycloak-admin.yaml
+++ b/k8s/infra/auth/keycloak/secret-keycloak-admin.yaml
@@ -0,0 +1,13 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: keycloak-admin-password
+  namespace: keycloak
+spec:
+  encryptedData:
+    password: AgCtAk6YIuPCrmLjGzqR9Ffa0mNdcPozulyLkW3JpC6n5QXi7CwjejQv2R7GYO/EbZEbUxhhCXpXuNu4LqEfmxB85Yzh435w8lpINSah9nXs/Gmzf9BddEFc5ki5PErTugXz4JbV9D2lvnpIZ1BHW23EdS2LUiX4CW3MQ0gHBJz4JqyKSZV4MSNl015zOzec6Wt2CYinZs7a6cZ9CnsfnAq5RPY0uUN+Pmelrr1O+Qa11OG7MmzKtfbUGj4v2wuVDDRZCW7/nFiTnYQt7TvyAwKL9p7DBFDMNFO6F1bfUx1z9pXjUp3mrqAJ4gAAUcj9n073EqfVCxkwUnor68m1zQSq4tDzFUn00Z0ArcJ/ndPGjv7Qg/S6LXYUDMlmEdFSkNY0c2qHgBAdWVWoGkh1FURoPnu9z6c4d+fd+VbkJyJZyWhGGOAYU10HkOtt/dU4rV2siCDLIw1SNEqso3eY8A/xg/9U9RnX2sxq3dTboFFE+tzZ/rCyxcz8TRlxJmWKjU7ApIWPvQ/RSP7OnK/VU6Q75YJvkW6nskyUZphNQdNeBq5JY6i7m3LP5o9eVKiiuow0ff4AVrWD3FgoxrhySNPyW1GTZje7qCXb0QB79CKE8kiKztG3U2B0mN3ciVS8Yc0tL03OG6NZdDPNQ7duHxKtRl9+Bk3TRPA9Itv7P3gOgGmxM/AMNUkOJwCwRU+UaMTyH7P1Vkqe1TIYRr5fYq+9my8YEhOn3OVgoiJe24DSVA==
+  template:
+    metadata:
+      name: keycloak-admin-password
+      namespace: keycloak
+    type: Opaque
--- a/k8s/infra/auth/keycloak/secret-keycloak-db-credentials.yaml
+++ b/k8s/infra/auth/keycloak/secret-keycloak-db-credentials.yaml
@@ -0,0 +1,15 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: keycloak-db-credentials
+  namespace: keycloak
+spec:
+  encryptedData:
+    password: AgAX+W26NjQoGjEeI8mssAGhXj2c38ImnvOUFU+guPrRNYFJBfkk6I6y1RShiRqUUaBu+nj/ZDL5M0QNbHOCLXoB8yOtAO+yq4Mx8eWgEU9mt0OVaMr2yFfyknAnarXBRVoaCD/lpVHS+ktSK9QZkRjmkhGqdBvAYmcXGGI4ZJUgRY88L+4KvVR4Dos0TPKbsB0MAqPJhc6BIW2+5PZsIAYQ4Z2QD4U/u7vzhvxT//74ggYN4fD4NN37vIN70RuW3wIFAerCZQktbbWtrEW6b4gUuubrSw4cWvPyrLFXj0ZA009wiBlTveqy6jjUj451vutyfIjlQZSd/zBiyy9Y81fjdBH9yUZG19PqrLWMsTsOBz0wnnQvU4v761vN77wWHHhkIxl3/O+inSBOR8lHmuFrxZ4TPAfl9RjxqBWA/v7x1UnFV5gjn40xkUK6+Yio0YZ1Bbc9zTgEhgdYc1F7ojMGzqG4ydc92O++1/+9UDWPMd3ngR9C5kYHzYorhoo0Wb6eeRPp+8dgROGdVYHZIzWk27ADj3IdIZVrsfJ6y+TG6MC22GtAqUj5e08erAFL6hZsg6ESK6HHhx+/StSE2tcHTbpDXw/QXjeLpz3zRQyZ0lWc3oKEhiBlnig7JwFUlnJO84X1RSHoQPiElUxgpo3WZD1YXbsgHeC2we6L+Dou6666Jo2PJvGqgubO47m/rq/T7mTM+mjryFYDx4wixy1quyhzwQ==
+    postgres-password: AgCoNnf6juZCsjRTqdzbs1y1pgM8o8wpUMzjoabtf1AEkvvBVbwomOAvX0FQPpIN7BqFHeTe+00Tn7EsgKfJAmt+OlJ2o4Kkh7G1kCC8ZNF7/r7ZjBdJjO0cTIa27eCIivV3EqklADcQB1n5Ave+nJaQeUoSZFcv4OMODWFwFOvJpYvcTtQj6MCd8A/StES9ZTrE35cV5LvK82NLoV9oJUdcu8NyGyOZ67E8wj0i0LrK93rdrUgvebx3ww00LF1ZWAMKhm/WE9Qo5IgHHv/WsYTtRpyeZfwuErDmQoG839wP9H2iQH2wvVd+b0pj7VXPQ1R891hTomRBC0ylmLU4fjYGnI29CnY1DMIhgN79rm79ecXrBK1NqO6cHjlY0Inuf0jYokWzEyFjep5NC7uaTvBO97N1FYH0+2VheD8QHXLTE5lsxYJgjPPzDUhp3PHrjKGPIo9tc+ONCX+UsMblG+x7wLBVZnW5yT1yKyr0tRbNy0ZtRrJiPB+rP1oDpiVcyIyjGwDdKMTaDpfaSOOyv6r+psh0tLeBgDdkpza6Kzs3YsVJGtbvUer2cPYOwZsJLJOExoSmNY4ZiWOks5wHbBmBivXTeSI6/aeB19QrO3b5CaJL4G40epWyexd+dSHgk+1YXKUcY7aUISVPQdAX8O7cKNmrabQ/UVFjfXJ73H+RBV2zH3BW8FabgbNxJr26JXX5vWvGlVurVurZ7N795F33V4UMakO3lmU=
+    username: AgC7mQo1QGCJNu0vw4cL5eztm3O1BQbF8PxFyO95izYl8YZHbtqbWBrlfbQ+8mftAxVpIpPQ3SB7veTppNumrtNiHXR2yx6IiVNKYXTRPj/hlwA+qdkHS8NWcdvyoE/5+tKgUj+nmkjHBwnpRQsahdzehqL8K0WOIKyHGPfWx3+JZhSyId/SIGRRhem59OwOQ5yKeNVMxfxbLnldEEI1tAVJYBFyyXZixK5UB4MD97/+5dDh/FEtE1vII93n7iDqDsgdMf2D/NNYFrxMCXs6iEKGov+VGKXOUXTJPS0RRk7eGlVFplz4sO8n29gV/kxe3IcIhWIrQrudF0I+YbUJhYCau373xdDROH0FJboJ/HuyudS1gHdIy5ofjibxwvRnpEfma/FD6L6r3a4ZG1Yyz+a1QmR1XDiXcuK1M6kjWVWVeX3uoLywT9PcSxDLARUuVmg+X2CEZkwvxLfu7HD5JRb2ggwA++giLR8u6LsNOm7drWTFjlGNsATqcGA7FtzoIhk8haYHdlT/sQEx7FLvPimht7tyEwuKwsykBwekpXr8FdjIyIzj2SEmR6M8sHlZNY0dop9wlEzy4/HXDXX2KSGMnLdmZDRhkZcizdiDopD+8tOipIfxBDWscYM7kraUmtySAOZ8gldtlBRC6UJwgryebtjsivyZeIzn70Q7HapNGv/Uc0/f3AxJLy6l64+mZCN4nDh/2+V1CLgY9w==
+  template:
+    metadata:
+      name: keycloak-db-credentials
+      namespace: keycloak
+    type: Opaque
--- a/k8s/infra/auth/keycloak/values.yaml
+++ b/k8s/infra/auth/keycloak/values.yaml
@@ -0,0 +1,35 @@
+# https://github.com/bitnami/charts/blob/main/bitnami/keycloak/values.yaml
+auth:
+  adminUser: admin
+  existingSecret: keycloak-admin-password
+  passwordSecretKey: password
+
+production: true
+
+nodeSelector:
+  topology.kubernetes.io/zone: euclid
+
+proxy: edge
+
+ingress:
+  enabled: true
+  annotations:
+    cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
+  hostname: keycloak.stonegarden.dev
+  pathType: Prefix
+  path: /
+  tls: true
+
+postgresql:
+  enabled: true
+  auth:
+    existingSecret: keycloak-db-credentials
+  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml
+  primary:
+    nodeAffinityPreset:
+      type: hard
+      key: topology.kubernetes.io/zone
+      values: [ euclid ]
+    persistence:
+      enabled: true
+      existingClaim: keycloak-db
--- a/k8s/infra/auth/kustomization.yaml
+++ b/k8s/infra/auth/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  dev.stonegarden: auth
+  app.kubernetes.io/managed-by: argocd
+
+resources:
+  - project.yaml
+  - application-set.yaml
--- a/k8s/infra/auth/project.yaml
+++ b/k8s/infra/auth/project.yaml
@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: auth
+  namespace: argocd
+spec:
+  sourceRepos:
+    - 'https://github.com/vehagn/homelab'
+  destinations:
+    - namespace: 'argocd'
+      server: '*'
+    - namespace: 'keycloak'
+      server: '*'
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'
--- a/k8s/infra/controllers/argocd/ns.yaml
+++ b/k8s/infra/controllers/argocd/ns.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: argocd
+  name: argocd
--- a/k8s/infra/controllers/cert-manager/ns.yaml
+++ b/k8s/infra/controllers/cert-manager/ns.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: cert-manager
+  name: cert-manager
--- a/k8s/infra/controllers/sealed-secrets/kustomization.yaml
+++ b/k8s/infra/controllers/sealed-secrets/kustomization.yaml
@@ -3,8 +3,6 @@ kind: Kustomization

 helmCharts:
  - name: sealed-secrets
-#    repo: https://bitnami-labs.github.io/sealed-secrets
-#    version: 2.16.0
    repo: oci://registry-1.docker.io/bitnamicharts
    version: 2.4.2
    releaseName: sealed-secrets-controller
--- a/k8s/infra/network/cloudflared/daemon-set.yaml
+++ b/k8s/infra/network/cloudflared/daemon-set.yaml
@@ -31,12 +31,12 @@ spec:
            failureThreshold: 5
            periodSeconds: 10
          resources:
-            limits:
-              cpu: 100m
-              memory: 64Mi
            requests:
-              cpu: 20m
+              cpu: 50m
              memory: 32Mi
+            limits:
+              cpu: 1000m
+              memory: 128Mi
          volumeMounts:
            - name: cloudflared-config
              mountPath: /etc/cloudflared/config/config.yaml
--- a/tofu/kubernetes/main.tf
+++ b/tofu/kubernetes/main.tf
@@ -125,6 +125,10 @@ module "volumes" {
      node = "euclid"
      size = "1G"
    }
+    pv-keycloak-db = {
+      node = "euclid"
+      size = "2G"
+    }
    pv-jellyfin-config = {
      node = "euclid"
      size = "12G"