infrastructure/auth/keycloak.yaml

# auth-system namespace
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: auth-system-namespace
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: v1
      kind: Namespace
      metadata:
        name: auth-system
---
# Keycloak service account
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: keycloak-service-account
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: keycloak
        namespace: auth-system
---
# Keycloak role
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: keycloak-role
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: rbac.authorization.k8s.io/v1
      kind: Role
      metadata:
        name: keycloak
        namespace: auth-system
      rules:
      - apiGroups: [""]
        resources: ["secrets", "configmaps", "pods"]
        verbs: ["get", "list", "watch"]
---
# Keycloak role binding
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: keycloak-role-binding
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: rbac.authorization.k8s.io/v1
      kind: RoleBinding
      metadata:
        name: keycloak
        namespace: auth-system
      subjects:
      - kind: ServiceAccount
        name: keycloak
        namespace: auth-system
      roleRef:
        kind: Role
        name: keycloak
        apiGroup: rbac.authorization.k8s.io
---
# Keycloak admin credentials
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: keycloak-admin-secret
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: v1
      kind: Secret
      metadata:
        name: keycloak-admin-creds
        namespace: auth-system
      type: Opaque
      stringData:
        password: "thefi9paechooh"
---
# Keycloak Helm release
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
  name: keycloak
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: helm-provider
  forProvider:
    chart:
      name: keycloak
      repository: https://codecentric.github.io/helm-charts
      version: 18.10.0
    namespace: auth-system
    values:
      image:
        repository: quay.io/keycloak/keycloak
        tag: 24.0.4
      serviceAccount:
        create: false
        name: keycloak
      args:
        - start
        - --db=postgres
        - --hostname-strict=false
        - --hostname-strict-https=false
        - --proxy=edge
        - --http-enabled=true
      livenessProbe: |
        httpGet:
          path: /realms/master
          port: http
        initialDelaySeconds: 120
        timeoutSeconds: 5
        periodSeconds: 30
        failureThreshold: 10
      readinessProbe: |
        httpGet:
          path: /realms/master
          port: http
        initialDelaySeconds: 90
        timeoutSeconds: 3
        periodSeconds: 10
        failureThreshold: 10
      startupProbe: |
        httpGet:
          path: /realms/master
          port: http
        initialDelaySeconds: 60
        timeoutSeconds: 3
        periodSeconds: 5
        failureThreshold: 30
      extraEnv: |
        - name: KEYCLOAK_ADMIN
          value: admin
        - name: KEYCLOAK_ADMIN_PASSWORD
          valueFrom:
            secretKeyRef:
              name: keycloak-admin-creds
              key: password
        - name: KC_DB
          value: postgres
        - name: KC_DB_URL
          value: jdbc:postgresql://keycloak-postgresql:5432/keycloak
        - name: KC_DB_USERNAME
          value: keycloak
        - name: KC_DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: keycloak-postgresql
              key: postgresql-password
      ingress:
        enabled: false
Initial infrastructure as code deployment This commit includes the complete Kubernetes infrastructure deployment for NGE6: - Crossplane setup with providers (Kubernetes, Helm, Civo) - Ambassador/Emissary ingress controller with SSL termination - Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges - ExternalDNS integration with Gandi for automatic DNS management - Keycloak authentication server with PostgreSQL - Pomerium identity-aware proxy with OIDC integration - Forgejo Git server with persistent storage and authentication - Spire/SPIFFE for secure service communication All services are deployed using Infrastructure as Code principles with Crossplane managing Kubernetes and Helm resources declaratively. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-09-23 12:43:06 +00:00			`# auth-system namespace`
			`apiVersion: kubernetes.crossplane.io/v1alpha2`
			`kind: Object`
			`metadata:`
			`name: auth-system-namespace`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: kubernetes-provider`
			`forProvider:`
			`manifest:`
			`apiVersion: v1`
			`kind: Namespace`
			`metadata:`
			`name: auth-system`
			`---`
			`# Keycloak service account`
			`apiVersion: kubernetes.crossplane.io/v1alpha2`
			`kind: Object`
			`metadata:`
			`name: keycloak-service-account`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: kubernetes-provider`
			`forProvider:`
			`manifest:`
			`apiVersion: v1`
			`kind: ServiceAccount`
			`metadata:`
			`name: keycloak`
			`namespace: auth-system`
			`---`
			`# Keycloak role`
			`apiVersion: kubernetes.crossplane.io/v1alpha2`
			`kind: Object`
			`metadata:`
			`name: keycloak-role`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: kubernetes-provider`
			`forProvider:`
			`manifest:`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: Role`
			`metadata:`
			`name: keycloak`
			`namespace: auth-system`
			`rules:`
			`- apiGroups: [""]`
			`resources: ["secrets", "configmaps", "pods"]`
			`verbs: ["get", "list", "watch"]`
			`---`
			`# Keycloak role binding`
			`apiVersion: kubernetes.crossplane.io/v1alpha2`
			`kind: Object`
			`metadata:`
			`name: keycloak-role-binding`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: kubernetes-provider`
			`forProvider:`
			`manifest:`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: RoleBinding`
			`metadata:`
			`name: keycloak`
			`namespace: auth-system`
			`subjects:`
			`- kind: ServiceAccount`
			`name: keycloak`
			`namespace: auth-system`
			`roleRef:`
			`kind: Role`
			`name: keycloak`
			`apiGroup: rbac.authorization.k8s.io`
			`---`
			`# Keycloak admin credentials`
			`apiVersion: kubernetes.crossplane.io/v1alpha2`
			`kind: Object`
			`metadata:`
			`name: keycloak-admin-secret`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: kubernetes-provider`
			`forProvider:`
			`manifest:`
			`apiVersion: v1`
			`kind: Secret`
			`metadata:`
			`name: keycloak-admin-creds`
			`namespace: auth-system`
			`type: Opaque`
			`stringData:`
			`password: "thefi9paechooh"`
			`---`
			`# Keycloak Helm release`
			`apiVersion: helm.crossplane.io/v1beta1`
			`kind: Release`
			`metadata:`
			`name: keycloak`
			`namespace: crossplane-system`
			`spec:`
			`providerConfigRef:`
			`name: helm-provider`
			`forProvider:`
			`chart:`
			`name: keycloak`
			`repository: https://codecentric.github.io/helm-charts`
			`version: 18.10.0`
			`namespace: auth-system`
			`values:`
			`image:`
			`repository: quay.io/keycloak/keycloak`
			`tag: 24.0.4`
			`serviceAccount:`
			`create: false`
			`name: keycloak`
			`args:`
			`- start`
			`- --db=postgres`
			`- --hostname-strict=false`
			`- --hostname-strict-https=false`
			`- --proxy=edge`
			`- --http-enabled=true`
			`livenessProbe: \|`
			`httpGet:`
			`path: /realms/master`
			`port: http`
			`initialDelaySeconds: 120`
			`timeoutSeconds: 5`
			`periodSeconds: 30`
			`failureThreshold: 10`
			`readinessProbe: \|`
			`httpGet:`
			`path: /realms/master`
			`port: http`
			`initialDelaySeconds: 90`
			`timeoutSeconds: 3`
			`periodSeconds: 10`
			`failureThreshold: 10`
			`startupProbe: \|`
			`httpGet:`
			`path: /realms/master`
			`port: http`
			`initialDelaySeconds: 60`
			`timeoutSeconds: 3`
			`periodSeconds: 5`
			`failureThreshold: 30`
			`extraEnv: \|`
			`- name: KEYCLOAK_ADMIN`
			`value: admin`
			`- name: KEYCLOAK_ADMIN_PASSWORD`
			`valueFrom:`
			`secretKeyRef:`
			`name: keycloak-admin-creds`
			`key: password`
			`- name: KC_DB`
			`value: postgres`
			`- name: KC_DB_URL`
			`value: jdbc:postgresql://keycloak-postgresql:5432/keycloak`
			`- name: KC_DB_USERNAME`
			`value: keycloak`
			`- name: KC_DB_PASSWORD`
			`valueFrom:`
			`secretKeyRef:`
			`name: keycloak-postgresql`
			`key: postgresql-password`
			`ingress:`
			`enabled: false`