First pass of keycloak+postgres, using operators.
Showing
7 changed files
with
307 additions
and
0 deletions
keycloak/charts/keycloak/keycloak.yaml
0 → 100644
1 | apiVersion: v1 | ||
2 | kind: Secret | ||
3 | metadata: | ||
4 | name: kpg-keycloak-initial-admin | ||
5 | stringData: | ||
6 | username: admin | ||
7 | password: admin | ||
8 | --- | ||
9 | apiVersion: k8s.keycloak.org/v2alpha1 | ||
10 | kind: Keycloak | ||
11 | metadata: | ||
12 | name: kpg-keycloak | ||
13 | spec: | ||
14 | instances: 1 | ||
15 | disableDefaultIngress: true | ||
16 | serverConfiguration: | ||
17 | - name: db | ||
18 | value: postgres | ||
19 | - name: db-url-host | ||
20 | value: kpg-postgres | ||
21 | - name: db-username | ||
22 | secret: | ||
23 | name: keycloak.kpg-postgres.credentials.postgresql.acid.zalan.do | ||
24 | key: username | ||
25 | - name: db-password | ||
26 | secret: | ||
27 | name: keycloak.kpg-postgres.credentials.postgresql.acid.zalan.do | ||
28 | key: password | ||
29 | - name: health-enabled | ||
30 | value: "true" | ||
31 | #- name: proxy | ||
32 | # value: edge | ||
33 | #- name: http-enabled | ||
34 | # value: "true" | ||
35 | #- name: hostname-strict-https | ||
36 | # value: "true" | ||
37 | unsupported: | ||
38 | podTemplate: | ||
39 | spec: | ||
40 | volumes: | ||
41 | - name: keycloak-scripts | ||
42 | configMap: | ||
43 | name: kpg-keycloak-scripts | ||
44 | defaultMode: 0777 | ||
45 | initContainers: | ||
46 | - name: wait-for-pg | ||
47 | image: registry.opensource.zalan.do/acid/spilo-14:2.1-p6 | ||
48 | env: | ||
49 | - name: PGHOST | ||
50 | value: kpg-postgres | ||
51 | - name: PGDATABASE | ||
52 | value: keycloak | ||
53 | - name: PGUSER | ||
54 | valueFrom: | ||
55 | secretKeyRef: | ||
56 | name: keycloak.kpg-postgres.credentials.postgresql.acid.zalan.do | ||
57 | key: username | ||
58 | - name: PGPASSWORD | ||
59 | valueFrom: | ||
60 | secretKeyRef: | ||
61 | name: keycloak.kpg-postgres.credentials.postgresql.acid.zalan.do | ||
62 | key: password | ||
63 | volumeMounts: | ||
64 | - name: keycloak-scripts | ||
65 | mountPath: /keycloak-scripts | ||
66 | command: ["/keycloak-scripts/pg_isready"] | ||
67 | #hostname: auth.local | ||
68 | #tlsSecret: keycloak-crt | ||
69 | hostname: INSECURE-DISABLE | ||
70 | tlsSecret: INSECURE-DISABLE | ||
71 | --- | ||
72 | apiVersion: cert-manager.io/v1 | ||
73 | kind: Certificate | ||
74 | metadata: | ||
75 | name: kpg-keycloak-crt | ||
76 | spec: | ||
77 | secretName: kpg-keycloak-crt | ||
78 | dnsNames: | ||
79 | - auth.local | ||
80 | issuerRef: | ||
81 | name: ca-issuer | ||
82 | # We can reference ClusterIssuers by changing the kind here. | ||
83 | # The default value is Issuer (i.e. a locally namespaced Issuer) | ||
84 | kind: ClusterIssuer | ||
85 | group: cert-manager.io | ||
86 | --- | ||
87 | apiVersion: networking.istio.io/v1beta1 | ||
88 | kind: DestinationRule | ||
89 | metadata: | ||
90 | name: kpg-keycloak-originate-tls | ||
91 | spec: | ||
92 | host: kpg-keycloak | ||
93 | trafficPolicy: | ||
94 | portLevelSettings: | ||
95 | - port: | ||
96 | number: 8080 | ||
97 | tls: | ||
98 | mode: DISABLE | ||
99 | credentialName: kpg-keycloak-crt | ||
100 | --- | ||
101 | apiVersion: networking.istio.io/v1beta1 | ||
102 | kind: VirtualService | ||
103 | metadata: | ||
104 | name: kpg-keycloak | ||
105 | spec: | ||
106 | hosts: | ||
107 | - auth.local | ||
108 | gateways: | ||
109 | - istio-system/cluster-local-gateway | ||
110 | http: | ||
111 | - route: | ||
112 | - destination: | ||
113 | port: | ||
114 | number: 8080 | ||
115 | host: kpg-keycloak-service.default.svc.cluster.local | ||
116 | # tls: | ||
117 | # - match: | ||
118 | # - sniHosts: | ||
119 | # - auth.local | ||
120 | # route: | ||
121 | # - destination: | ||
122 | # port: | ||
123 | # number: 8443 | ||
124 | # host: kpg-keycloak-service.default.svc.cluster.local | ||
125 |
keycloak/charts/keycloak/kustomization.yaml
0 → 100644
keycloak/charts/postgresql/postgresql.yaml
0 → 100644
1 | apiVersion: "acid.zalan.do/v1" | ||
2 | kind: postgresql | ||
3 | metadata: | ||
4 | name: kpg-postgres | ||
5 | namespace: default | ||
6 | spec: | ||
7 | enableLogicalBackup: true | ||
8 | teamId: "kpg" | ||
9 | volume: | ||
10 | size: 1Gi | ||
11 | numberOfInstances: 2 | ||
12 | users: | ||
13 | zalando: # database owner | ||
14 | - superuser | ||
15 | - createdb | ||
16 | keycloak: | ||
17 | - login | ||
18 | databases: | ||
19 | keycloak: keycloak # dbname: owner | ||
20 | postgresql: | ||
21 | version: "14" |
keycloak/environments/default-values.yaml
0 → 100644
1 | namespace: keycloak | ||
2 | postgresql: | ||
3 | numberOfInstances: 2 | ||
4 | volume: | ||
5 | size: 1Gi | ||
6 | version: "14" | ||
7 | waitForPg: | ||
8 | image: registry.opensource.zalan.do/acid/spilo-14:2.1-p6 | ||
9 | initialAdmin: | ||
10 | username: admin | ||
11 | password: admin | ||
12 | certificate: | ||
13 | hostName: auth.local | ||
14 | issuerRef: ca-issuer | ||
15 | virtualService: | ||
16 | hostName: auth.local | ||
17 | gateway: istio-system/cluster-local-gateway | ||
18 | issuerRef: ca-issuer |
keycloak/helmfile.yaml
0 → 100644
1 | bases: | ||
2 | - ../common/environments.yaml | ||
3 | |||
4 | --- | ||
5 | |||
6 | releases: | ||
7 | - name: kpg-postgresql | ||
8 | namespace: {{ .Values.namespace }} | ||
9 | chart: charts/postgresql | ||
10 | wait: true | ||
11 | strategicMergePatches: | ||
12 | - apiVersion: acid.zalan.do/v1 | ||
13 | kind: postgresql | ||
14 | metadata: | ||
15 | name: kpg-postgres | ||
16 | namespace: {{ .Values.namespace }} | ||
17 | spec: | ||
18 | volume: | ||
19 | size: {{ .Values.postgresql.volume.size | quote }} | ||
20 | postgresql: | ||
21 | version: {{ .Values.postgresql.version | quote }} | ||
22 | |||
23 | - name: kpg-keycloak | ||
24 | namespace: {{ .Values.namespace }} | ||
25 | chart: charts/keycloak | ||
26 | needs: | ||
27 | - kpg-postgresql | ||
28 | strategicMergePatches: | ||
29 | - apiVersion: cert-manager.io/v1 | ||
30 | kind: Certificate | ||
31 | metadata: | ||
32 | name: kpg-keycloak-crt | ||
33 | namespace: {{ .Values.namespace }} | ||
34 | spec: | ||
35 | dnsNames: | ||
36 | - {{ .Values.certificate.hostName }} | ||
37 | issuerRef: | ||
38 | name: {{ .Values.certificate.issuerRef }} | ||
39 | - apiVersion: networking.istio.io/v1beta1 | ||
40 | kind: VirtualService | ||
41 | metadata: | ||
42 | name: kpg-keycloak | ||
43 | namespace: {{ .Values.namespace }} | ||
44 | spec: | ||
45 | hosts: | ||
46 | - {{ .Values.virtualService.hostName }} | ||
47 | gateways: | ||
48 | - {{ .Values.virtualService.gateway }} | ||
49 | http: | ||
50 | - route: | ||
51 | - destination: | ||
52 | port: | ||
53 | number: 8080 | ||
54 | host: kpg-keycloak-service.default.svc.cluster.local | ||
55 | |||
56 | jsonPatches: | ||
57 | - target: | ||
58 | group: k8s.keycloak.org | ||
59 | version: v2alpha1 | ||
60 | kind: Keycloak | ||
61 | name: kpg-keycloak | ||
62 | namespace: {{ .Values.namespace }} | ||
63 | patch: | ||
64 | - op: replace | ||
65 | path: /spec/unsupported/podTemplate/spec/initContainers/0/image | ||
66 | value: {{ .Values.postgresql.waitForPg.image }} | ||
67 | - target: | ||
68 | kind: VirtualService | ||
69 | name: kpg-keycloak | ||
70 | namespace: {{ .Values.namespace }} | ||
71 | version: v1beta1 | ||
72 | group: networking.istio.io | ||
73 | patch: | ||
74 | - op: replace | ||
75 | path: /spec/http/0/route/0/destination/host | ||
76 | value: kpg-keycloak-service.default.svc.cluster.local | ||
77 | # - op: replace | ||
78 | # path: /spec/tls/0/match/0/sniHosts/0 | ||
79 | # value: {{ .Values.virtualService.hostName }} | ||
80 |
keycloak/scripts/pg_isready
0 → 100644
1 | #!/bin/sh | ||
2 | |||
3 | set -xe | ||
4 | _msg() { | ||
5 | column_count=${#1} | ||
6 | echo "$1" 1>&2 | ||
7 | _dotted= | ||
8 | } | ||
9 | _dot() { | ||
10 | [ "z$_dotted" = "z" ] && echo -n " " 1>&2 && _dotted=1 | ||
11 | echo -n "." 1>&2 | ||
12 | column_count=$(($column_count + 1)) | ||
13 | if [ $column_count = 20 ]; then | ||
14 | echo | ||
15 | column_count=1 | ||
16 | fi | ||
17 | } | ||
18 | _done() { | ||
19 | echo " done." 1>&2 | ||
20 | column_count=1 | ||
21 | } | ||
22 | _msg "Waiting for postgres to acception connections:" | ||
23 | while :; do | ||
24 | tries=10 | ||
25 | while [ $tries -gt 0 ]; do | ||
26 | if pg_isready -h "$PGHOST" 1>/dev/null 2>/dev/null; then break 2; fi | ||
27 | sleep 1 | ||
28 | tries=$(($tries - 1)) | ||
29 | done | ||
30 | _dot | ||
31 | done | ||
32 | _done | ||
33 | _msg "Waiting for $PGUSER@$PGDATABASE to be available:" | ||
34 | while :; do | ||
35 | tries=10 | ||
36 | while [ $tries -gt 0 ]; do | ||
37 | if psql 1>/dev/null 2>/dev/null; then break 2; fi | ||
38 | sleep 1 | ||
39 | tries=$(($tries - 1)) | ||
40 | done | ||
41 | _dot | ||
42 | done | ||
43 | _done | ||
44 |
-
Please register or sign in to post a comment