freezer/mareshq-cthulhunetes-gitops-v2
Archived
1
0
Fork 0
Code Activity

feat(apps): add keycloak

Browse source
This commit is contained in:
Vojtěch Mareš 2024-05-11 20:04:51 +02:00
parent 070fad447f
commit 58d31dbe41
Signed by: vojtech.mares
GPG key ID: C6827B976F17240D
1 changed files with 162 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

162
apps/hq/keycloak.yaml Normal file
View file

@ -0,0 +1,162 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: keycloak
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "50"
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
ignoreDifferences:
- group: networking.k8s.io
kind: Ingress
jqPathExpressions:
- .spec.rules[].http.paths[]
project: hq
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
destination:
server: "https://kubernetes.default.svc"
namespace: keycloak
source:
chart: keycloak
repoURL: registry-1.docker.io/bitnamicharts
targetRevision: 21.1.3
helm:
releaseName: keycloak
values: |
auth:
adminUser: admin
existingSecret: keycloak-admin-password
passwordSecretKey: password
global:
storageClass: hcloud-volumes
replicaCount: 2
pdb:
create: true
minAvailable: 1
autoscaling:
enabled: false
resources:
limits:
cpu: 500m
memory: 1Gi
requests:
cpu: 500m
memory: 1Gi
# Pods must be spread across nodes
# See: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_affinities.tpl#L56-L106
podAntiAffinityPreset: hard
updateStrategy:
type: RollingUpdate
# See: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#maximum-unavailable-pods
# rollingUpdate:
# maxUnavailable: 1
service:
type: ClusterIP
ingress:
enabled: true
hostname: sso.mareshq.com
servicePort: https
ingressClassName: nginx
tls: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-dns-production
cert-manager.io/issue-temporary-certificate: "true"
# Allow self-signed certificates on the backend
nginx.ingress.kubernetes.io/server-snippet: |
proxy_ssl_verify off;
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/proxy-buffering: "on"
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
adminIngress:
enabled: true
ingressClassName: nginx
pathType: Prefix
hostname: keycloak.cthulhu.k8s.vxm.cz
servicePort: https
tls: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-dns-production
cert-manager.io/issue-temporary-certificate: "true"
# Allow self-signed certificates on the backend
nginx.ingress.kubernetes.io/server-snippet: |
proxy_ssl_verify off;
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
tls:
enabled: true
autoGenerated: true
production: true
# metrics:
# enabled: true
# serviceMonitor:
# enabled: false
postgresql:
enabled: false
externalDatabase:
existingSecret: keycloak-database-credentials
existingSecretHostKey: host
existingSecretPortKey: port
existingSecretDatabaseKey: database
existingSecretUserKey: username
existingSecretPasswordKey: password
startupProbe:
# Keycloak should be ready to serve requests within 15 minutes
enabled: true
initialDelaySeconds: 180 # 3min
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 80 # 12min
successThreshold: 1
containerSecurityContext:
readOnlyRootFilesystem: true
# Custom theme installation and configuration
initContainers:
- name: theme-installer
image: busybox:latest
command:
- /bin/sh
- "-c"
- |
wget https://vojtechmares.github.io/cdn/keywind.tar.gz -O /tmp/keywind.tar.gz
tar -xzvf /tmp/keywind.tar.gz -C /opt/bitnami/keycloak/themes
volumeMounts:
- mountPath: /opt/bitnami/keycloak/themes/keywind
name: theme
extraVolumes:
- name: theme
emptyDir: {}
extraVolumeMounts:
- name: theme
mountPath: /opt/bitnami/keycloak/themes/keywind