fd2d38f5 by Adam Heath

First pass of keycloak+postgres, using operators.

1 parent 09418184
1 apiVersion: v1
2 kind: Secret
3 metadata:
4 name: kpg-keycloak-initial-admin
5 stringData:
6 username: admin
7 password: admin
8 ---
9 apiVersion: k8s.keycloak.org/v2alpha1
10 kind: Keycloak
11 metadata:
12 name: kpg-keycloak
13 spec:
14 instances: 1
15 disableDefaultIngress: true
16 serverConfiguration:
17 - name: db
18 value: postgres
19 - name: db-url-host
20 value: kpg-postgres
21 - name: db-username
22 secret:
23 name: keycloak.kpg-postgres.credentials.postgresql.acid.zalan.do
24 key: username
25 - name: db-password
26 secret:
27 name: keycloak.kpg-postgres.credentials.postgresql.acid.zalan.do
28 key: password
29 - name: health-enabled
30 value: "true"
31 #- name: proxy
32 # value: edge
33 #- name: http-enabled
34 # value: "true"
35 #- name: hostname-strict-https
36 # value: "true"
37 unsupported:
38 podTemplate:
39 spec:
40 volumes:
41 - name: keycloak-scripts
42 configMap:
43 name: kpg-keycloak-scripts
44 defaultMode: 0777
45 initContainers:
46 - name: wait-for-pg
47 image: registry.opensource.zalan.do/acid/spilo-14:2.1-p6
48 env:
49 - name: PGHOST
50 value: kpg-postgres
51 - name: PGDATABASE
52 value: keycloak
53 - name: PGUSER
54 valueFrom:
55 secretKeyRef:
56 name: keycloak.kpg-postgres.credentials.postgresql.acid.zalan.do
57 key: username
58 - name: PGPASSWORD
59 valueFrom:
60 secretKeyRef:
61 name: keycloak.kpg-postgres.credentials.postgresql.acid.zalan.do
62 key: password
63 volumeMounts:
64 - name: keycloak-scripts
65 mountPath: /keycloak-scripts
66 command: ["/keycloak-scripts/pg_isready"]
67 #hostname: auth.local
68 #tlsSecret: keycloak-crt
69 hostname: INSECURE-DISABLE
70 tlsSecret: INSECURE-DISABLE
71 ---
72 apiVersion: cert-manager.io/v1
73 kind: Certificate
74 metadata:
75 name: kpg-keycloak-crt
76 spec:
77 secretName: kpg-keycloak-crt
78 dnsNames:
79 - auth.local
80 issuerRef:
81 name: ca-issuer
82 # We can reference ClusterIssuers by changing the kind here.
83 # The default value is Issuer (i.e. a locally namespaced Issuer)
84 kind: ClusterIssuer
85 group: cert-manager.io
86 ---
87 apiVersion: networking.istio.io/v1beta1
88 kind: DestinationRule
89 metadata:
90 name: kpg-keycloak-originate-tls
91 spec:
92 host: kpg-keycloak
93 trafficPolicy:
94 portLevelSettings:
95 - port:
96 number: 8080
97 tls:
98 mode: DISABLE
99 credentialName: kpg-keycloak-crt
100 ---
101 apiVersion: networking.istio.io/v1beta1
102 kind: VirtualService
103 metadata:
104 name: kpg-keycloak
105 spec:
106 hosts:
107 - auth.local
108 gateways:
109 - istio-system/cluster-local-gateway
110 http:
111 - route:
112 - destination:
113 port:
114 number: 8080
115 host: kpg-keycloak-service.default.svc.cluster.local
116 # tls:
117 # - match:
118 # - sniHosts:
119 # - auth.local
120 # route:
121 # - destination:
122 # port:
123 # number: 8443
124 # host: kpg-keycloak-service.default.svc.cluster.local
125
1 apiVersion: kustomize.config.k8s.io/v1beta1
2 kind: Kustomization
3
4 resources:
5 - ./keycloak.yaml
6
7 configMapGenerator:
8 - name: kpg-keycloak-scripts
9 options:
10 disableNameSuffixHash: true
11 files:
12 - ../../scripts/pg_isready
13
1 apiVersion: kustomize.config.k8s.io/v1beta1
2 kind: Kustomization
3
4 resources:
5 - ./postgresql.yaml
6
1 apiVersion: "acid.zalan.do/v1"
2 kind: postgresql
3 metadata:
4 name: kpg-postgres
5 namespace: default
6 spec:
7 enableLogicalBackup: true
8 teamId: "kpg"
9 volume:
10 size: 1Gi
11 numberOfInstances: 2
12 users:
13 zalando: # database owner
14 - superuser
15 - createdb
16 keycloak:
17 - login
18 databases:
19 keycloak: keycloak # dbname: owner
20 postgresql:
21 version: "14"
1 namespace: keycloak
2 postgresql:
3 numberOfInstances: 2
4 volume:
5 size: 1Gi
6 version: "14"
7 waitForPg:
8 image: registry.opensource.zalan.do/acid/spilo-14:2.1-p6
9 initialAdmin:
10 username: admin
11 password: admin
12 certificate:
13 hostName: auth.local
14 issuerRef: ca-issuer
15 virtualService:
16 hostName: auth.local
17 gateway: istio-system/cluster-local-gateway
18 issuerRef: ca-issuer
1 bases:
2 - ../common/environments.yaml
3
4 ---
5
6 releases:
7 - name: kpg-postgresql
8 namespace: {{ .Values.namespace }}
9 chart: charts/postgresql
10 wait: true
11 strategicMergePatches:
12 - apiVersion: acid.zalan.do/v1
13 kind: postgresql
14 metadata:
15 name: kpg-postgres
16 namespace: {{ .Values.namespace }}
17 spec:
18 volume:
19 size: {{ .Values.postgresql.volume.size | quote }}
20 postgresql:
21 version: {{ .Values.postgresql.version | quote }}
22
23 - name: kpg-keycloak
24 namespace: {{ .Values.namespace }}
25 chart: charts/keycloak
26 needs:
27 - kpg-postgresql
28 strategicMergePatches:
29 - apiVersion: cert-manager.io/v1
30 kind: Certificate
31 metadata:
32 name: kpg-keycloak-crt
33 namespace: {{ .Values.namespace }}
34 spec:
35 dnsNames:
36 - {{ .Values.certificate.hostName }}
37 issuerRef:
38 name: {{ .Values.certificate.issuerRef }}
39 - apiVersion: networking.istio.io/v1beta1
40 kind: VirtualService
41 metadata:
42 name: kpg-keycloak
43 namespace: {{ .Values.namespace }}
44 spec:
45 hosts:
46 - {{ .Values.virtualService.hostName }}
47 gateways:
48 - {{ .Values.virtualService.gateway }}
49 http:
50 - route:
51 - destination:
52 port:
53 number: 8080
54 host: kpg-keycloak-service.default.svc.cluster.local
55
56 jsonPatches:
57 - target:
58 group: k8s.keycloak.org
59 version: v2alpha1
60 kind: Keycloak
61 name: kpg-keycloak
62 namespace: {{ .Values.namespace }}
63 patch:
64 - op: replace
65 path: /spec/unsupported/podTemplate/spec/initContainers/0/image
66 value: {{ .Values.postgresql.waitForPg.image }}
67 - target:
68 kind: VirtualService
69 name: kpg-keycloak
70 namespace: {{ .Values.namespace }}
71 version: v1beta1
72 group: networking.istio.io
73 patch:
74 - op: replace
75 path: /spec/http/0/route/0/destination/host
76 value: kpg-keycloak-service.default.svc.cluster.local
77 # - op: replace
78 # path: /spec/tls/0/match/0/sniHosts/0
79 # value: {{ .Values.virtualService.hostName }}
80
1 #!/bin/sh
2
3 set -xe
4 _msg() {
5 column_count=${#1}
6 echo "$1" 1>&2
7 _dotted=
8 }
9 _dot() {
10 [ "z$_dotted" = "z" ] && echo -n " " 1>&2 && _dotted=1
11 echo -n "." 1>&2
12 column_count=$(($column_count + 1))
13 if [ $column_count = 20 ]; then
14 echo
15 column_count=1
16 fi
17 }
18 _done() {
19 echo " done." 1>&2
20 column_count=1
21 }
22 _msg "Waiting for postgres to acception connections:"
23 while :; do
24 tries=10
25 while [ $tries -gt 0 ]; do
26 if pg_isready -h "$PGHOST" 1>/dev/null 2>/dev/null; then break 2; fi
27 sleep 1
28 tries=$(($tries - 1))
29 done
30 _dot
31 done
32 _done
33 _msg "Waiting for $PGUSER@$PGDATABASE to be available:"
34 while :; do
35 tries=10
36 while [ $tries -gt 0 ]; do
37 if psql 1>/dev/null 2>/dev/null; then break 2; fi
38 sleep 1
39 tries=$(($tries - 1))
40 done
41 _dot
42 done
43 _done
44