fd2d38f5 by Adam Heath

First pass of keycloak+postgres, using operators.

1 parent 09418184
apiVersion: v1
kind: Secret
metadata:
name: kpg-keycloak-initial-admin
stringData:
username: admin
password: admin
---
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
name: kpg-keycloak
spec:
instances: 1
disableDefaultIngress: true
serverConfiguration:
- name: db
value: postgres
- name: db-url-host
value: kpg-postgres
- name: db-username
secret:
name: keycloak.kpg-postgres.credentials.postgresql.acid.zalan.do
key: username
- name: db-password
secret:
name: keycloak.kpg-postgres.credentials.postgresql.acid.zalan.do
key: password
- name: health-enabled
value: "true"
#- name: proxy
# value: edge
#- name: http-enabled
# value: "true"
#- name: hostname-strict-https
# value: "true"
unsupported:
podTemplate:
spec:
volumes:
- name: keycloak-scripts
configMap:
name: kpg-keycloak-scripts
defaultMode: 0777
initContainers:
- name: wait-for-pg
image: registry.opensource.zalan.do/acid/spilo-14:2.1-p6
env:
- name: PGHOST
value: kpg-postgres
- name: PGDATABASE
value: keycloak
- name: PGUSER
valueFrom:
secretKeyRef:
name: keycloak.kpg-postgres.credentials.postgresql.acid.zalan.do
key: username
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: keycloak.kpg-postgres.credentials.postgresql.acid.zalan.do
key: password
volumeMounts:
- name: keycloak-scripts
mountPath: /keycloak-scripts
command: ["/keycloak-scripts/pg_isready"]
#hostname: auth.local
#tlsSecret: keycloak-crt
hostname: INSECURE-DISABLE
tlsSecret: INSECURE-DISABLE
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kpg-keycloak-crt
spec:
secretName: kpg-keycloak-crt
dnsNames:
- auth.local
issuerRef:
name: ca-issuer
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: kpg-keycloak-originate-tls
spec:
host: kpg-keycloak
trafficPolicy:
portLevelSettings:
- port:
number: 8080
tls:
mode: DISABLE
credentialName: kpg-keycloak-crt
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: kpg-keycloak
spec:
hosts:
- auth.local
gateways:
- istio-system/cluster-local-gateway
http:
- route:
- destination:
port:
number: 8080
host: kpg-keycloak-service.default.svc.cluster.local
# tls:
# - match:
# - sniHosts:
# - auth.local
# route:
# - destination:
# port:
# number: 8443
# host: kpg-keycloak-service.default.svc.cluster.local
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./keycloak.yaml
configMapGenerator:
- name: kpg-keycloak-scripts
options:
disableNameSuffixHash: true
files:
- ../../scripts/pg_isready
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./postgresql.yaml
apiVersion: "acid.zalan.do/v1"
kind: postgresql
metadata:
name: kpg-postgres
namespace: default
spec:
enableLogicalBackup: true
teamId: "kpg"
volume:
size: 1Gi
numberOfInstances: 2
users:
zalando: # database owner
- superuser
- createdb
keycloak:
- login
databases:
keycloak: keycloak # dbname: owner
postgresql:
version: "14"
namespace: keycloak
postgresql:
numberOfInstances: 2
volume:
size: 1Gi
version: "14"
waitForPg:
image: registry.opensource.zalan.do/acid/spilo-14:2.1-p6
initialAdmin:
username: admin
password: admin
certificate:
hostName: auth.local
issuerRef: ca-issuer
virtualService:
hostName: auth.local
gateway: istio-system/cluster-local-gateway
issuerRef: ca-issuer
bases:
- ../common/environments.yaml
---
releases:
- name: kpg-postgresql
namespace: {{ .Values.namespace }}
chart: charts/postgresql
wait: true
strategicMergePatches:
- apiVersion: acid.zalan.do/v1
kind: postgresql
metadata:
name: kpg-postgres
namespace: {{ .Values.namespace }}
spec:
volume:
size: {{ .Values.postgresql.volume.size | quote }}
postgresql:
version: {{ .Values.postgresql.version | quote }}
- name: kpg-keycloak
namespace: {{ .Values.namespace }}
chart: charts/keycloak
needs:
- kpg-postgresql
strategicMergePatches:
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kpg-keycloak-crt
namespace: {{ .Values.namespace }}
spec:
dnsNames:
- {{ .Values.certificate.hostName }}
issuerRef:
name: {{ .Values.certificate.issuerRef }}
- apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: kpg-keycloak
namespace: {{ .Values.namespace }}
spec:
hosts:
- {{ .Values.virtualService.hostName }}
gateways:
- {{ .Values.virtualService.gateway }}
http:
- route:
- destination:
port:
number: 8080
host: kpg-keycloak-service.default.svc.cluster.local
jsonPatches:
- target:
group: k8s.keycloak.org
version: v2alpha1
kind: Keycloak
name: kpg-keycloak
namespace: {{ .Values.namespace }}
patch:
- op: replace
path: /spec/unsupported/podTemplate/spec/initContainers/0/image
value: {{ .Values.postgresql.waitForPg.image }}
- target:
kind: VirtualService
name: kpg-keycloak
namespace: {{ .Values.namespace }}
version: v1beta1
group: networking.istio.io
patch:
- op: replace
path: /spec/http/0/route/0/destination/host
value: kpg-keycloak-service.default.svc.cluster.local
# - op: replace
# path: /spec/tls/0/match/0/sniHosts/0
# value: {{ .Values.virtualService.hostName }}
#!/bin/sh
set -xe
_msg() {
column_count=${#1}
echo "$1" 1>&2
_dotted=
}
_dot() {
[ "z$_dotted" = "z" ] && echo -n " " 1>&2 && _dotted=1
echo -n "." 1>&2
column_count=$(($column_count + 1))
if [ $column_count = 20 ]; then
echo
column_count=1
fi
}
_done() {
echo " done." 1>&2
column_count=1
}
_msg "Waiting for postgres to acception connections:"
while :; do
tries=10
while [ $tries -gt 0 ]; do
if pg_isready -h "$PGHOST" 1>/dev/null 2>/dev/null; then break 2; fi
sleep 1
tries=$(($tries - 1))
done
_dot
done
_done
_msg "Waiting for $PGUSER@$PGDATABASE to be available:"
while :; do
tries=10
while [ $tries -gt 0 ]; do
if psql 1>/dev/null 2>/dev/null; then break 2; fi
sleep 1
tries=$(($tries - 1))
done
_dot
done
_done