feat(auth): add Keycloak for auth

infra/apps/application-set.yaml

@@ -0,0 +1,36 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: infra-apps
+  namespace: argocd
+  labels:
+    dev.stonegarden: infra-apps
+spec:
+  generators:
+    - git:
+        repoURL: https://github.com/vehagn/homelab
+        revision: HEAD
+        directories:
+          - path: infra/apps/*
+  template:
+    metadata:
+      name: '{{ path.basename }}'
+      labels:
+        dev.stonegarden: infrastructure
+      finalizers:
+        - resources-finalizer.argocd.argoproj.io
+    spec:
+      project: infra-apps
+      source:
+        plugin:
+          name: kustomize-build-with-helm
+        repoURL: https://github.com/vehagn/homelab
+        targetRevision: HEAD
+        path: '{{ path }}'
+      destination:
+        name: in-cluster
+        namespace: argocd
+      syncPolicy:
+        automated:
+          selfHeal: true
+          prune: true

infra/apps/keycloak/http-route.yaml

@@ -0,0 +1,19 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: keycloak
+  namespace: keycloak
+spec:
+  parentRefs:
+    - name: stonegarden
+      namespace: gateway
+  hostnames:
+    - "keycloak.stonegarden.dev"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: keycloak
+          port: 80

infra/apps/keycloak/kustomization.yaml

@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - pv.yaml
+  - ns.yaml
+  - http-route.yaml
+  - secret-keycloak-postgresql.yaml
+  - secret-keycloak-admin.yaml
+
+helmCharts:
+  - name: keycloak
+    repo: oci://registry-1.docker.io/bitnamicharts
+    version: 21.1.1
+    releaseName: keycloak
+    includeCRDs: true
+    namespace: keycloak
+    valuesFile: values.yaml
+
+

infra/apps/keycloak/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak

infra/apps/keycloak/pv.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: keycloak-db
+  labels:
+    app: keycloak
+spec:
+  capacity:
+    storage: 8Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  local:
+    path: /disk/etc/keycloak
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: kubernetes.io/hostname
+              operator: In
+              values:
+                - gauss

infra/apps/keycloak/secret-keycloak-admin.yaml

@@ -0,0 +1,13 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: keycloak-admin
+  namespace: keycloak
+spec:
+  encryptedData:
+    password: AgCUvceBKvb5ULjP0KlLy+8Uj7G5hq0MrvNtbStV4f/tjs4tFah0ZmHaP4OrT5o5xhmaDga7Ozu8BstvW210eiYBMYJ59+u1n5Sh8H8XpJJNQ38MOxeRl2Wftdx4uAOLMyj68qv58LYmwXic/WIgP3pn4X/YR3wHJ3EgwUnU7c8XeifzVrYwNwNibu0WUJpXABE3JU2szbd8bvQscAwJpYFdf1iJoYjvvVMaRTe9SmNN8ybIZxT3z56+CxXx2gA6+Qn0Uiq4ToGo5DHYP1uivlk2I9GrRj/SFhISSV0JywEznNf2iZUBlM+9qZkbQo99Fe0VeFsDu/uzEjS5yHnDfPVSrAm4uCaE+4DbbPAN3HOm0/agf0wf/QNOgifI/uiuJatuSkP6WuzaO+lz5nyJEiGpBkuGcawMZ8YNdnaTpfDFZPL1HoNApYkqO1+4YvvTzYZcpuQM8ljiqTxeUpSjA7rBjCKExJhGupt9FjQb7ed8PDtxZD+fYKAzvI+gAQaI7Bn0sNVVqOG6QaPsL4sa3ZBT0dcQtItHj487iVkvyVS9iZn1tbsIu5K4JE4rH4h+opvmWiFxGOhnxf5bWJa+6rouWR3R3PAcKji8RGIKCR4CnQwbhFWXA7P0301rsJ3VLwhBxl9kHxtkwMpsUwGO8v0gbhNPTVoN0tvLj8E4QTuwyPSfraOsBPyicq4dOLDZ0ZUGVPSDdJQuRApPCGp/Ssreq5YbfFbFIuxzwm6BF1TBRA==
+  template:
+    metadata:
+      name: keycloak-admin
+      namespace: keycloak
+    type: Opaque

infra/apps/keycloak/secret-keycloak-postgresql.yaml

@@ -0,0 +1,15 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: keycloak-postgresql
+  namespace: keycloak
+spec:
+  encryptedData:
+    username: AgBU9BBpv9UfBm/q6nhfYucDBSh0PGP5paA1M8GOD+f0IMCC53SHMIUpu74hv7aRiJ4BG35SfxfnkMbuQWApxcARFnD3GaALN2lOgerSUlVFnj77BDnf1Ej6TTT0pYNXbRIRQOKA2Uz/7rkvhlOz7Cc8jqc6oYCB8FWdbcZwnbDQ0ZbWVgtxo4G2PPSDdI87WrasZCnrK533aWFGoof5M9cfDnyRjhgzrbbMivIQ6SmDE9MMg6AmlavTPOAQJjWKmWPBcnvCmIST9QS4LFnJh2Dw8R88Ak6eN7luKvTaRtX39zB47NernQy9itbFh1uq06qcmxfjpVGbLX17IOWClACZIUgsUJjWqL1gX4KN4NxXxAj31LUp0qc4BHX6ufpSVlea7sO2icwnBKEyNY3mPDHOL8CEqNQ+6m8h0tdS5URPEtbubvtrfijZL2BTrvDJ45fEMODu61J0J3+FHhR+6tLPtH3NC4gymcWg0dAPh3SPC/FRrQ1jS8neS1rwKgwxPnHumkBaWcOCvSeAW0MVtsbeYKz4yNahy8b0QRk0WRvloXldBHPvwide5aWow4mMM8c5hZ4F6aqyE6ZgfLIyXS9qO+WQ5hZKEBH+3rzhoi5BbIDyKLQ2Pa3NlXVV7PLSGuL4Tvqej7cZewikGvJR871qBIrVCRfHueQcE3laNooZRG3DoaeNhtIJCY+bbCZ+mLdpAJBbMmXdLA==
+    password: AgDBjAKqYO1nySBpsKmYAverXWA9WwKX7JneraCl95z8rVj3STQ+6KmM29K/G83P7d5qW38oJCFh6QDn38NbFQrt9QT9+dvcJ7SjTznHVLZqd8KZdhQk5E1ay0DRNG7QGbxljSSikmmEuTdf31MyFHWaQww2eyhBzf3Fce4rqWbkcbYqxsKimxoRYahjRdKO5j8+oOpjwvaVdPnkRh+5eYWPo+hPbLYL39J/lTVsYfl4WQHtmpFeog5dSk14s3YkT8M6qrERG3WCcaC2S6rcWab4azk21IFdoAqTTE4EFTNHmO5qPLrcm8g2LP18KTzBCWbHZduPMCQdgKONqx+GnJGKojPeK5I+lhycEtrNDotxMYS2KBlnT7+5DBytTrbSWCtaW47SAHQtYEwbsuVlRKfKUHhFCmI0AkxdYCflzv7PqGyX69UVwZlcyMlGZI4NGmJ5sTsibFUl92CTMO2SVSSCyUAW4Kq64gDPcugmcJuSQxNUgHD5UzQZqZlo+m8inORuJzmcILtHTFmYObIYW3IV6qp12ws+EH1xWvdJBA7Mi28Kw1DbcKGS2FVV1bwbcYpY8f4/POCgER/dC+vg9BrzjstcTlldXAw92ZGcqQ1DE4+95jgylhKmxyU7jUHwmzq78H4qkEBHsBpkudi8gzT0v2QBpmC5aOwRLP8BrvM6AjWkNtD6Weo6fbTKqjdYkogb4MQHkVXrA0FMje12lA4yt1mU6MNA1tmi6ljxixeNcw==
+    postgres-password: AgA0MpVuP9zFPQQ3GzQdLMur7LjMcETbad4lZq1U9PULjvMmujymyoKoBND+p1GCJWfW3S3sD0yMoM3QXzGN6642/7DLSKDV/xa7eEId2gqZNALR3wr2CD5hXcwbYg3BRTsOf92qWjRAyuECQiY8rXMgcEvaFjtM4tN4R6iIo4dKTbGRVNi+diUkL7eeEBW1CBZuiGCUxUfyeyEKtaUWXlsyswjmWfSyKNPJDzseOX7okGYT5Vtdx4lmlIH9Zaza3I7ea6dz/2AE8Q4z4yb0qrFO8PTRnMnnGBIvPrYXS58C09eozFwZqI8SXUHOTY7oDCTVVVTwJn4PCSBoNl19BAVsUG3GEYtl99MvicDIj08M96IrK5NczXmez5giYqgsp73nw0LsVHDKAf9C43Ch0EfC/d8N4b8UxxedmjqPlxJJqn3twj70yT1vJG+R7gaF/maxQdeDm5iEuvz/wExJqfTJByDOU3QhYC8gKPA6siGjzrI2DvgLo5LmrqFeOVma1TuIzGs4W9q1aOMEXPRBr/1rG7ZvaW+34ZB+NQ4Nc+h2mGUMKVWJ7vvAW+tf3mihwkSoWKjfjot/zS67rThZe37w/lJ++c96WQ77OMLNgXN9Uq7pjmhenkin7dTX5iKykRc07ifSyz+K7cPnKCSO2Otac33XVrL9etdjJ9+3dv28gRjdFxu5phm2OF71s42WSGeVz023kEXKk5NYqWDd3133lfwaDkwJ5SgFTbHONqw3Ww==
+  template:
+    metadata:
+      name: keycloak-postgresql
+      namespace: keycloak
+    type: Opaque

infra/apps/keycloak/values.yaml

@@ -0,0 +1,25 @@
+# https://github.com/bitnami/charts/blob/main/bitnami/keycloak/values.yaml
+auth:
+  adminUser: admin
+  existingSecret: keycloak-admin
+  passwordSecretKey: password
+
+#production: true
+
+proxy: edge
+
+ingress:
+  enabled: true
+  hostname: keycloak.stonegarden.dev
+  path: /
+  tls: true
+
+postgresql:
+  enabled: true
+  auth:
+    existingSecret: keycloak-postgresql
+  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml
+  primary:
+    persistence:
+      enabled: true
+      volumeName: keycloak-db

infra/apps/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+commonLabels:
+  dev.stonegarden: infra-management
+  app.kubernetes.io/managed-by: argocd
+
+resources:
+  - project.yaml
+  - application-set.yaml

infra/apps/project.yaml

@@ -0,0 +1,17 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: infra-apps
+  namespace: argocd
+spec:
+  sourceRepos:
+    - 'https://github.com/vehagn/homelab'
+    - 'oci://registry-1.docker.io/bitnamicharts/keycloak'
+  destinations:
+    - namespace: 'argocd'
+      server: '*'
+    - namespace: 'keycloak'
+      server: '*'
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'