eemoore/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infrastructure/auth/resources.yaml

241 lines
7.7 KiB
YAML
Raw Permalink Normal View History

Initial infrastructure as code deployment This commit includes the complete Kubernetes infrastructure deployment for NGE6: - Crossplane setup with providers (Kubernetes, Helm, Civo) - Ambassador/Emissary ingress controller with SSL termination - Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges - ExternalDNS integration with Gandi for automatic DNS management - Keycloak authentication server with PostgreSQL - Pomerium identity-aware proxy with OIDC integration - Forgejo Git server with persistent storage and authentication - Spire/SPIFFE for secure service communication All services are deployed using Infrastructure as Code principles with Crossplane managing Kubernetes and Helm resources declaratively. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-23 12:43:06 +00:00
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: keycloakidentity.auth.yourdomain.com
spec:
writeConnectionSecretsToNamespace: crossplane-system
compositeTypeRef:
apiVersion: auth.yourdomain.com/v1alpha1
kind: KeycloakIdentity
resources:
# 1. First create the realm
- name: realm
base:
apiVersion: realm.keycloak.crossplane.io/v1alpha1
kind: Realm
metadata:
annotations:
crossplane.io/external-name: "{{ index .metadata.annotations \"keycloak/realm-name\" }}"
spec:
forProvider:
realm: ""
enabled: true
displayName: ""
registrationAllowed: false
resetPasswordAllowed: true
rememberMe: true
loginWithEmailAllowed: true
providerConfigRef:
name: keycloak-provider
writeConnectionSecretToRef:
namespace: crossplane-system
name: realm-connection-{{ index .metadata.annotations "keycloak/realm-name" }}
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.realmName
toFieldPath: metadata.annotations[keycloak/realm-name]
- type: FromCompositeFieldPath
fromFieldPath: spec.realmName
toFieldPath: spec.forProvider.realm
- type: FromCompositeFieldPath
fromFieldPath: spec.realmName
toFieldPath: spec.forProvider.displayName
- type: FromCompositeFieldPath
fromFieldPath: spec.realmName
toFieldPath: spec.writeConnectionSecretToRef.name
transforms:
- type: string
string:
fmt: realm-connection-%s
# 2. Create the k8s-admins group
- name: admins-group
base:
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Group
spec:
forProvider:
name: k8s-admins
providerConfigRef:
name: keycloak-provider
writeConnectionSecretToRef:
namespace: crossplane-system
name: admins-group-secret
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.realmName
toFieldPath: spec.forProvider.realmId
connectionDetails:
- fromConnectionSecretKey: id
name: adminsGroupId
# 3. Create the users group
- name: users-group
base:
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Group
spec:
forProvider:
name: users
providerConfigRef:
name: keycloak-provider
writeConnectionSecretToRef:
namespace: crossplane-system
name: users-group-secret
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.realmName
toFieldPath: spec.forProvider.realmId
connectionDetails:
- fromConnectionSecretKey: id
name: usersGroupId
# 4. Create the developers group
- name: developers-group
base:
apiVersion: group.keycloak.crossplane.io/v1alpha1
kind: Group
spec:
forProvider:
name: developers
providerConfigRef:
name: keycloak-provider
writeConnectionSecretToRef:
namespace: crossplane-system
name: developers-group-secret
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.realmName
toFieldPath: spec.forProvider.realmId
connectionDetails:
- fromConnectionSecretKey: id
name: developersGroupId
# 5. Create the admin user with password
- name: admin-user
base:
apiVersion: user.keycloak.crossplane.io/v1alpha1
kind: User
spec:
forProvider:
emailVerified: true
enabled: true
firstName: Admin
lastName: User
initialPassword:
- temporary: true
valueSecretRef:
namespace: crossplane-system
name: admin-password-secret
key: password
providerConfigRef:
name: keycloak-provider
writeConnectionSecretToRef:
namespace: crossplane-system
name: admin-user-secret
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.realmName
toFieldPath: spec.forProvider.realmId
- type: FromCompositeFieldPath
fromFieldPath: spec.adminUsername
toFieldPath: spec.forProvider.username
- type: FromCompositeFieldPath
fromFieldPath: spec.adminEmail
toFieldPath: spec.forProvider.email
connectionDetails:
- fromConnectionSecretKey: id
name: adminUserId
# 6. Create admin-user to k8s-admins group membership
- name: admin-to-admins-membership
base:
apiVersion: user.keycloak.crossplane.io/v1alpha1
kind: Groups
spec:
forProvider:
exhaustive: false
providerConfigRef:
name: keycloak-provider
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.realmName
toFieldPath: spec.forProvider.realmId
- type: PatchSet
patchSetName: adminUserId-patching
- type: PatchSet
patchSetName: adminsGroupId-patching
# 7. Create admin-user to users group membership
- name: admin-to-users-membership
base:
apiVersion: user.keycloak.crossplane.io/v1alpha1
kind: Groups
spec:
forProvider:
exhaustive: false
providerConfigRef:
name: keycloak-provider
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.realmName
toFieldPath: spec.forProvider.realmId
- type: PatchSet
patchSetName: adminUserId-patching
- type: PatchSet
patchSetName: usersGroupId-patching
# 8. Create Pomerium client
- name: pomerium-client
base:
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
spec:
forProvider:
clientId: pomerium
name: "Pomerium Identity-Aware Proxy"
description: "Client for Pomerium IAP"
enabled: true
clientAuthenticatorType: client-secret
accessType: "CONFIDENTIAL"
standardFlowEnabled: true
directAccessGrantsEnabled: false
serviceAccountsEnabled: false
validRedirectUris: []
webOrigins:
- "+"
providerConfigRef:
name: keycloak-provider
writeConnectionSecretToRef:
namespace: crossplane-system
name: pomerium-client-secret
patches:
- type: FromCompositeFieldPath
fromFieldPath: spec.realmName
toFieldPath: spec.forProvider.realmId
- type: FromCompositeFieldPath
fromFieldPath: spec.pomeriumRedirectUri
toFieldPath: spec.forProvider.validRedirectUris[0]
connectionDetails:
- fromConnectionSecretKey: clientSecret
name: pomeriumClientSecret
patchSets:
- name: adminUserId-patching
patches:
- type: FromCompositeFieldPath
fromFieldPath: connectionDetails.adminUserId
toFieldPath: spec.forProvider.userId
- name: adminsGroupId-patching
patches:
- type: FromCompositeFieldPath
fromFieldPath: connectionDetails.adminsGroupId
toFieldPath: spec.forProvider.groupIds[0]
- name: usersGroupId-patching
patches:
- type: FromCompositeFieldPath
fromFieldPath: connectionDetails.usersGroupId
toFieldPath: spec.forProvider.groupIds[0]
Reference in a new issue Copy permalink