mirror of
https://github.com/optim-enterprises-bv/homelab.git
synced 2025-11-03 11:27:52 +00:00
feat(auth): add keycloak for auth
This commit is contained in:
Vegard Hagen
@@ -1,7 +1,7 @@
|
|||||||
apiVersion: gateway.networking.k8s.io/v1
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
kind: HTTPRoute
|
kind: HTTPRoute
|
||||||
metadata:
|
metadata:
|
||||||
name: lidarr-http-route
|
name: lidarr
|
||||||
namespace: arr
|
namespace: arr
|
||||||
spec:
|
spec:
|
||||||
parentRefs:
|
parentRefs:
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
apiVersion: gateway.networking.k8s.io/v1
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
kind: HTTPRoute
|
kind: HTTPRoute
|
||||||
metadata:
|
metadata:
|
||||||
name: prowlarr-http-route
|
name: prowlarr
|
||||||
namespace: arr
|
namespace: arr
|
||||||
spec:
|
spec:
|
||||||
parentRefs:
|
parentRefs:
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
apiVersion: gateway.networking.k8s.io/v1
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
kind: HTTPRoute
|
kind: HTTPRoute
|
||||||
metadata:
|
metadata:
|
||||||
name: radarr-http-route
|
name: radarr
|
||||||
namespace: arr
|
namespace: arr
|
||||||
spec:
|
spec:
|
||||||
parentRefs:
|
parentRefs:
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
apiVersion: gateway.networking.k8s.io/v1
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
kind: HTTPRoute
|
kind: HTTPRoute
|
||||||
metadata:
|
metadata:
|
||||||
name: sonarr-http-route
|
name: sonarr
|
||||||
namespace: arr
|
namespace: arr
|
||||||
spec:
|
spec:
|
||||||
parentRefs:
|
parentRefs:
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
apiVersion: gateway.networking.k8s.io/v1
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
kind: HTTPRoute
|
kind: HTTPRoute
|
||||||
metadata:
|
metadata:
|
||||||
name: torrent-http-route
|
name: torrent
|
||||||
namespace: arr
|
namespace: arr
|
||||||
spec:
|
spec:
|
||||||
parentRefs:
|
parentRefs:
|
||||||
|
|||||||
@@ -7,7 +7,13 @@ metadata:
|
|||||||
cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
|
cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
|
||||||
spec:
|
spec:
|
||||||
ingressClassName: cilium
|
ingressClassName: cilium
|
||||||
defaultBackend:
|
rules:
|
||||||
|
- host: plex.stonegarden.dev
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
pathType: Prefix
|
||||||
|
backend:
|
||||||
service:
|
service:
|
||||||
name: jellyfin
|
name: jellyfin
|
||||||
port:
|
port:
|
||||||
|
|||||||
@@ -7,9 +7,15 @@ metadata:
|
|||||||
cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
|
cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
|
||||||
spec:
|
spec:
|
||||||
ingressClassName: cilium
|
ingressClassName: cilium
|
||||||
defaultBackend:
|
rules:
|
||||||
|
- host: plex.stonegarden.dev
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
pathType: Prefix
|
||||||
|
backend:
|
||||||
service:
|
service:
|
||||||
name: plex
|
name: jellyfin
|
||||||
port:
|
port:
|
||||||
name: web
|
name: web
|
||||||
tls:
|
tls:
|
||||||
|
|||||||
34
k8s/infra/auth/application-set.yaml
Normal file
34
k8s/infra/auth/application-set.yaml
Normal file
@@ -0,0 +1,34 @@
|
|||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: ApplicationSet
|
||||||
|
metadata:
|
||||||
|
name: auth
|
||||||
|
namespace: argocd
|
||||||
|
labels:
|
||||||
|
dev.stonegarden: auth
|
||||||
|
spec:
|
||||||
|
generators:
|
||||||
|
- git:
|
||||||
|
repoURL: https://github.com/vehagn/homelab
|
||||||
|
revision: HEAD
|
||||||
|
directories:
|
||||||
|
- path: k8s/infra/auth/*
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
name: '{{ path.basename }}'
|
||||||
|
labels:
|
||||||
|
dev.stonegarden: controllers
|
||||||
|
spec:
|
||||||
|
project: auth
|
||||||
|
source:
|
||||||
|
plugin:
|
||||||
|
name: kustomize-build-with-helm
|
||||||
|
repoURL: https://github.com/vehagn/homelab
|
||||||
|
targetRevision: HEAD
|
||||||
|
path: '{{ path }}'
|
||||||
|
destination:
|
||||||
|
name: in-cluster
|
||||||
|
namespace: argocd
|
||||||
|
syncPolicy:
|
||||||
|
automated:
|
||||||
|
selfHeal: true
|
||||||
|
prune: true
|
||||||
19
k8s/infra/auth/keycloak/http-route.yaml
Normal file
19
k8s/infra/auth/keycloak/http-route.yaml
Normal file
@@ -0,0 +1,19 @@
|
|||||||
|
apiVersion: gateway.networking.k8s.io/v1
|
||||||
|
kind: HTTPRoute
|
||||||
|
metadata:
|
||||||
|
name: keycloak
|
||||||
|
namespace: keycloak
|
||||||
|
spec:
|
||||||
|
parentRefs:
|
||||||
|
- name: stonegarden
|
||||||
|
namespace: gateway
|
||||||
|
hostnames:
|
||||||
|
- "keycloak.stonegarden.dev"
|
||||||
|
rules:
|
||||||
|
- matches:
|
||||||
|
- path:
|
||||||
|
type: PathPrefix
|
||||||
|
value: /
|
||||||
|
backendRefs:
|
||||||
|
- name: keycloak
|
||||||
|
port: 80
|
||||||
17
k8s/infra/auth/keycloak/kustomization.yaml
Normal file
17
k8s/infra/auth/keycloak/kustomization.yaml
Normal file
@@ -0,0 +1,17 @@
|
|||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- ns.yaml
|
||||||
|
- pvc.yaml
|
||||||
|
- secret-keycloak-admin.yaml
|
||||||
|
- secret-keycloak-db-credentials.yaml
|
||||||
|
- http-route.yaml
|
||||||
|
|
||||||
|
helmCharts:
|
||||||
|
- name: keycloak
|
||||||
|
repo: oci://registry-1.docker.io/bitnamicharts
|
||||||
|
version: 21.5.0
|
||||||
|
releaseName: keycloak
|
||||||
|
namespace: keycloak
|
||||||
|
valuesFile: values.yaml
|
||||||
4
k8s/infra/auth/keycloak/ns.yaml
Normal file
4
k8s/infra/auth/keycloak/ns.yaml
Normal file
@@ -0,0 +1,4 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: keycloak
|
||||||
13
k8s/infra/auth/keycloak/pvc.yaml
Normal file
13
k8s/infra/auth/keycloak/pvc.yaml
Normal file
@@ -0,0 +1,13 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: PersistentVolumeClaim
|
||||||
|
metadata:
|
||||||
|
name: keycloak-db
|
||||||
|
namespace: keycloak
|
||||||
|
spec:
|
||||||
|
storageClassName: proxmox-csi
|
||||||
|
volumeName: pv-keycloak-db
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteOnce
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 2G
|
||||||
13
k8s/infra/auth/keycloak/secret-keycloak-admin.yaml
Normal file
13
k8s/infra/auth/keycloak/secret-keycloak-admin.yaml
Normal file
@@ -0,0 +1,13 @@
|
|||||||
|
apiVersion: bitnami.com/v1alpha1
|
||||||
|
kind: SealedSecret
|
||||||
|
metadata:
|
||||||
|
name: keycloak-admin-password
|
||||||
|
namespace: keycloak
|
||||||
|
spec:
|
||||||
|
encryptedData:
|
||||||
|
password: AgCtAk6YIuPCrmLjGzqR9Ffa0mNdcPozulyLkW3JpC6n5QXi7CwjejQv2R7GYO/EbZEbUxhhCXpXuNu4LqEfmxB85Yzh435w8lpINSah9nXs/Gmzf9BddEFc5ki5PErTugXz4JbV9D2lvnpIZ1BHW23EdS2LUiX4CW3MQ0gHBJz4JqyKSZV4MSNl015zOzec6Wt2CYinZs7a6cZ9CnsfnAq5RPY0uUN+Pmelrr1O+Qa11OG7MmzKtfbUGj4v2wuVDDRZCW7/nFiTnYQt7TvyAwKL9p7DBFDMNFO6F1bfUx1z9pXjUp3mrqAJ4gAAUcj9n073EqfVCxkwUnor68m1zQSq4tDzFUn00Z0ArcJ/ndPGjv7Qg/S6LXYUDMlmEdFSkNY0c2qHgBAdWVWoGkh1FURoPnu9z6c4d+fd+VbkJyJZyWhGGOAYU10HkOtt/dU4rV2siCDLIw1SNEqso3eY8A/xg/9U9RnX2sxq3dTboFFE+tzZ/rCyxcz8TRlxJmWKjU7ApIWPvQ/RSP7OnK/VU6Q75YJvkW6nskyUZphNQdNeBq5JY6i7m3LP5o9eVKiiuow0ff4AVrWD3FgoxrhySNPyW1GTZje7qCXb0QB79CKE8kiKztG3U2B0mN3ciVS8Yc0tL03OG6NZdDPNQ7duHxKtRl9+Bk3TRPA9Itv7P3gOgGmxM/AMNUkOJwCwRU+UaMTyH7P1Vkqe1TIYRr5fYq+9my8YEhOn3OVgoiJe24DSVA==
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
name: keycloak-admin-password
|
||||||
|
namespace: keycloak
|
||||||
|
type: Opaque
|
||||||
15
k8s/infra/auth/keycloak/secret-keycloak-db-credentials.yaml
Normal file
15
k8s/infra/auth/keycloak/secret-keycloak-db-credentials.yaml
Normal file
@@ -0,0 +1,15 @@
|
|||||||
|
apiVersion: bitnami.com/v1alpha1
|
||||||
|
kind: SealedSecret
|
||||||
|
metadata:
|
||||||
|
name: keycloak-db-credentials
|
||||||
|
namespace: keycloak
|
||||||
|
spec:
|
||||||
|
encryptedData:
|
||||||
|
password: AgAX+W26NjQoGjEeI8mssAGhXj2c38ImnvOUFU+guPrRNYFJBfkk6I6y1RShiRqUUaBu+nj/ZDL5M0QNbHOCLXoB8yOtAO+yq4Mx8eWgEU9mt0OVaMr2yFfyknAnarXBRVoaCD/lpVHS+ktSK9QZkRjmkhGqdBvAYmcXGGI4ZJUgRY88L+4KvVR4Dos0TPKbsB0MAqPJhc6BIW2+5PZsIAYQ4Z2QD4U/u7vzhvxT//74ggYN4fD4NN37vIN70RuW3wIFAerCZQktbbWtrEW6b4gUuubrSw4cWvPyrLFXj0ZA009wiBlTveqy6jjUj451vutyfIjlQZSd/zBiyy9Y81fjdBH9yUZG19PqrLWMsTsOBz0wnnQvU4v761vN77wWHHhkIxl3/O+inSBOR8lHmuFrxZ4TPAfl9RjxqBWA/v7x1UnFV5gjn40xkUK6+Yio0YZ1Bbc9zTgEhgdYc1F7ojMGzqG4ydc92O++1/+9UDWPMd3ngR9C5kYHzYorhoo0Wb6eeRPp+8dgROGdVYHZIzWk27ADj3IdIZVrsfJ6y+TG6MC22GtAqUj5e08erAFL6hZsg6ESK6HHhx+/StSE2tcHTbpDXw/QXjeLpz3zRQyZ0lWc3oKEhiBlnig7JwFUlnJO84X1RSHoQPiElUxgpo3WZD1YXbsgHeC2we6L+Dou6666Jo2PJvGqgubO47m/rq/T7mTM+mjryFYDx4wixy1quyhzwQ==
|
||||||
|
postgres-password: AgCoNnf6juZCsjRTqdzbs1y1pgM8o8wpUMzjoabtf1AEkvvBVbwomOAvX0FQPpIN7BqFHeTe+00Tn7EsgKfJAmt+OlJ2o4Kkh7G1kCC8ZNF7/r7ZjBdJjO0cTIa27eCIivV3EqklADcQB1n5Ave+nJaQeUoSZFcv4OMODWFwFOvJpYvcTtQj6MCd8A/StES9ZTrE35cV5LvK82NLoV9oJUdcu8NyGyOZ67E8wj0i0LrK93rdrUgvebx3ww00LF1ZWAMKhm/WE9Qo5IgHHv/WsYTtRpyeZfwuErDmQoG839wP9H2iQH2wvVd+b0pj7VXPQ1R891hTomRBC0ylmLU4fjYGnI29CnY1DMIhgN79rm79ecXrBK1NqO6cHjlY0Inuf0jYokWzEyFjep5NC7uaTvBO97N1FYH0+2VheD8QHXLTE5lsxYJgjPPzDUhp3PHrjKGPIo9tc+ONCX+UsMblG+x7wLBVZnW5yT1yKyr0tRbNy0ZtRrJiPB+rP1oDpiVcyIyjGwDdKMTaDpfaSOOyv6r+psh0tLeBgDdkpza6Kzs3YsVJGtbvUer2cPYOwZsJLJOExoSmNY4ZiWOks5wHbBmBivXTeSI6/aeB19QrO3b5CaJL4G40epWyexd+dSHgk+1YXKUcY7aUISVPQdAX8O7cKNmrabQ/UVFjfXJ73H+RBV2zH3BW8FabgbNxJr26JXX5vWvGlVurVurZ7N795F33V4UMakO3lmU=
|
||||||
|
username: AgC7mQo1QGCJNu0vw4cL5eztm3O1BQbF8PxFyO95izYl8YZHbtqbWBrlfbQ+8mftAxVpIpPQ3SB7veTppNumrtNiHXR2yx6IiVNKYXTRPj/hlwA+qdkHS8NWcdvyoE/5+tKgUj+nmkjHBwnpRQsahdzehqL8K0WOIKyHGPfWx3+JZhSyId/SIGRRhem59OwOQ5yKeNVMxfxbLnldEEI1tAVJYBFyyXZixK5UB4MD97/+5dDh/FEtE1vII93n7iDqDsgdMf2D/NNYFrxMCXs6iEKGov+VGKXOUXTJPS0RRk7eGlVFplz4sO8n29gV/kxe3IcIhWIrQrudF0I+YbUJhYCau373xdDROH0FJboJ/HuyudS1gHdIy5ofjibxwvRnpEfma/FD6L6r3a4ZG1Yyz+a1QmR1XDiXcuK1M6kjWVWVeX3uoLywT9PcSxDLARUuVmg+X2CEZkwvxLfu7HD5JRb2ggwA++giLR8u6LsNOm7drWTFjlGNsATqcGA7FtzoIhk8haYHdlT/sQEx7FLvPimht7tyEwuKwsykBwekpXr8FdjIyIzj2SEmR6M8sHlZNY0dop9wlEzy4/HXDXX2KSGMnLdmZDRhkZcizdiDopD+8tOipIfxBDWscYM7kraUmtySAOZ8gldtlBRC6UJwgryebtjsivyZeIzn70Q7HapNGv/Uc0/f3AxJLy6l64+mZCN4nDh/2+V1CLgY9w==
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
name: keycloak-db-credentials
|
||||||
|
namespace: keycloak
|
||||||
|
type: Opaque
|
||||||
35
k8s/infra/auth/keycloak/values.yaml
Normal file
35
k8s/infra/auth/keycloak/values.yaml
Normal file
@@ -0,0 +1,35 @@
|
|||||||
|
# https://github.com/bitnami/charts/blob/main/bitnami/keycloak/values.yaml
|
||||||
|
auth:
|
||||||
|
adminUser: admin
|
||||||
|
existingSecret: keycloak-admin-password
|
||||||
|
passwordSecretKey: password
|
||||||
|
|
||||||
|
production: true
|
||||||
|
|
||||||
|
nodeSelector:
|
||||||
|
topology.kubernetes.io/zone: euclid
|
||||||
|
|
||||||
|
proxy: edge
|
||||||
|
|
||||||
|
ingress:
|
||||||
|
enabled: true
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
|
||||||
|
hostname: keycloak.stonegarden.dev
|
||||||
|
pathType: Prefix
|
||||||
|
path: /
|
||||||
|
tls: true
|
||||||
|
|
||||||
|
postgresql:
|
||||||
|
enabled: true
|
||||||
|
auth:
|
||||||
|
existingSecret: keycloak-db-credentials
|
||||||
|
# https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml
|
||||||
|
primary:
|
||||||
|
nodeAffinityPreset:
|
||||||
|
type: hard
|
||||||
|
key: topology.kubernetes.io/zone
|
||||||
|
values: [ euclid ]
|
||||||
|
persistence:
|
||||||
|
enabled: true
|
||||||
|
existingClaim: keycloak-db
|
||||||
9
k8s/infra/auth/kustomization.yaml
Normal file
9
k8s/infra/auth/kustomization.yaml
Normal file
@@ -0,0 +1,9 @@
|
|||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
commonLabels:
|
||||||
|
dev.stonegarden: auth
|
||||||
|
app.kubernetes.io/managed-by: argocd
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- project.yaml
|
||||||
|
- application-set.yaml
|
||||||
16
k8s/infra/auth/project.yaml
Normal file
16
k8s/infra/auth/project.yaml
Normal file
@@ -0,0 +1,16 @@
|
|||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: AppProject
|
||||||
|
metadata:
|
||||||
|
name: auth
|
||||||
|
namespace: argocd
|
||||||
|
spec:
|
||||||
|
sourceRepos:
|
||||||
|
- 'https://github.com/vehagn/homelab'
|
||||||
|
destinations:
|
||||||
|
- namespace: 'argocd'
|
||||||
|
server: '*'
|
||||||
|
- namespace: 'keycloak'
|
||||||
|
server: '*'
|
||||||
|
clusterResourceWhitelist:
|
||||||
|
- group: '*'
|
||||||
|
kind: '*'
|
||||||
@@ -3,8 +3,6 @@ kind: Kustomization
|
|||||||
|
|
||||||
helmCharts:
|
helmCharts:
|
||||||
- name: sealed-secrets
|
- name: sealed-secrets
|
||||||
# repo: https://bitnami-labs.github.io/sealed-secrets
|
|
||||||
# version: 2.16.0
|
|
||||||
repo: oci://registry-1.docker.io/bitnamicharts
|
repo: oci://registry-1.docker.io/bitnamicharts
|
||||||
version: 2.4.2
|
version: 2.4.2
|
||||||
releaseName: sealed-secrets-controller
|
releaseName: sealed-secrets-controller
|
||||||
|
|||||||
@@ -31,12 +31,12 @@ spec:
|
|||||||
failureThreshold: 5
|
failureThreshold: 5
|
||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
resources:
|
resources:
|
||||||
limits:
|
|
||||||
cpu: 100m
|
|
||||||
memory: 64Mi
|
|
||||||
requests:
|
requests:
|
||||||
cpu: 20m
|
cpu: 50m
|
||||||
memory: 32Mi
|
memory: 32Mi
|
||||||
|
limits:
|
||||||
|
cpu: 1000m
|
||||||
|
memory: 128Mi
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: cloudflared-config
|
- name: cloudflared-config
|
||||||
mountPath: /etc/cloudflared/config/config.yaml
|
mountPath: /etc/cloudflared/config/config.yaml
|
||||||
|
|||||||
@@ -125,6 +125,10 @@ module "volumes" {
|
|||||||
node = "euclid"
|
node = "euclid"
|
||||||
size = "1G"
|
size = "1G"
|
||||||
}
|
}
|
||||||
|
pv-keycloak-db = {
|
||||||
|
node = "euclid"
|
||||||
|
size = "2G"
|
||||||
|
}
|
||||||
pv-jellyfin-config = {
|
pv-jellyfin-config = {
|
||||||
node = "euclid"
|
node = "euclid"
|
||||||
size = "12G"
|
size = "12G"
|
||||||
|
|||||||
Reference in New Issue
Block a user