From 58d31dbe4126514c4cda786d4c3a9b6fba49fe03 Mon Sep 17 00:00:00 2001
From: Vojtech Mares <iam@vojtechmares.com>
Date: Sat, 11 May 2024 20:04:51 +0200
Subject: [PATCH] feat(apps): add keycloak

---
 apps/hq/keycloak.yaml | 162 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 162 insertions(+)
 create mode 100644 apps/hq/keycloak.yaml

diff --git a/apps/hq/keycloak.yaml b/apps/hq/keycloak.yaml
new file mode 100644
index 0000000..b6dca69
--- /dev/null
+++ b/apps/hq/keycloak.yaml
@@ -0,0 +1,162 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: keycloak
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "50"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  ignoreDifferences:
+    - group: networking.k8s.io
+      kind: Ingress
+      jqPathExpressions:
+        - .spec.rules[].http.paths[]
+  project: hq
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: keycloak
+  source:
+    chart: keycloak
+    repoURL: registry-1.docker.io/bitnamicharts
+    targetRevision: 21.1.3
+    helm:
+      releaseName: keycloak
+      values: |
+        auth:
+          adminUser: admin
+          existingSecret: keycloak-admin-password
+          passwordSecretKey: password
+
+        global:
+          storageClass: hcloud-volumes
+
+        replicaCount: 2
+
+        pdb:
+          create: true
+          minAvailable: 1
+
+        autoscaling:
+          enabled: false
+
+        resources:
+          limits:
+            cpu: 500m
+            memory: 1Gi
+          requests:
+            cpu: 500m
+            memory: 1Gi
+
+        # Pods must be spread across nodes
+        # See: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_affinities.tpl#L56-L106
+        podAntiAffinityPreset: hard
+
+        updateStrategy:
+          type: RollingUpdate
+          # See: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#maximum-unavailable-pods
+          # rollingUpdate:
+          #   maxUnavailable: 1
+
+        service:
+          type: ClusterIP
+
+        ingress:
+          enabled: true
+          hostname: sso.mareshq.com
+          servicePort: https
+
+          ingressClassName: nginx
+
+          tls: true
+
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt-dns-production
+            cert-manager.io/issue-temporary-certificate: "true"
+            # Allow self-signed certificates on the backend
+            nginx.ingress.kubernetes.io/server-snippet: |
+              proxy_ssl_verify off;
+            nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+            nginx.ingress.kubernetes.io/proxy-buffering: "on"
+            nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
+            nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
+
+        adminIngress:
+          enabled: true
+          ingressClassName: nginx
+          pathType: Prefix
+          hostname: keycloak.cthulhu.k8s.vxm.cz
+          servicePort: https
+          tls: true
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt-dns-production
+            cert-manager.io/issue-temporary-certificate: "true"
+            # Allow self-signed certificates on the backend
+            nginx.ingress.kubernetes.io/server-snippet: |
+              proxy_ssl_verify off;
+            nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+
+        tls:
+          enabled: true
+          autoGenerated: true
+
+        production: true
+
+        # metrics:
+        #   enabled: true
+
+        #   serviceMonitor:
+        #     enabled: false
+
+        postgresql:
+          enabled: false
+
+        externalDatabase:
+          existingSecret: keycloak-database-credentials
+          existingSecretHostKey: host
+          existingSecretPortKey: port
+          existingSecretDatabaseKey: database
+          existingSecretUserKey: username
+          existingSecretPasswordKey: password
+
+        startupProbe:
+          # Keycloak should be ready to serve requests within 15 minutes
+          enabled: true
+          initialDelaySeconds: 180 # 3min
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 80 # 12min
+          successThreshold: 1
+
+        containerSecurityContext:
+          readOnlyRootFilesystem: true
+
+        # Custom theme installation and configuration
+        initContainers:
+          - name: theme-installer
+            image: busybox:latest
+            command:
+              - /bin/sh
+              - "-c"
+              - |
+                wget https://vojtechmares.github.io/cdn/keywind.tar.gz -O /tmp/keywind.tar.gz
+                tar -xzvf /tmp/keywind.tar.gz -C /opt/bitnami/keycloak/themes
+
+            volumeMounts:
+              - mountPath: /opt/bitnami/keycloak/themes/keywind
+                name: theme
+
+        extraVolumes:
+          - name: theme
+            emptyDir: {}
+
+        extraVolumeMounts:
+          - name: theme
+            mountPath: /opt/bitnami/keycloak/themes/keywind