0b60e24c4f
- Created Ambassador Host: auth.nge6.com - SSL certificate via Let's Encrypt - External-DNS integration for automatic DNS records - Direct access to Keycloak admin interface Admin Access: - URL: https://auth.nge6.com/admin - Username: admin - Password: thefi9paechooh 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
243 lines
5.7 KiB
YAML
243 lines
5.7 KiB
YAML
# auth-system namespace
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: auth-system-namespace
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: auth-system
|
|
---
|
|
# Keycloak service account
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: keycloak-service-account
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: keycloak
|
|
namespace: auth-system
|
|
---
|
|
# Keycloak role
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: keycloak-role
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: keycloak
|
|
namespace: auth-system
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["secrets", "configmaps", "pods"]
|
|
verbs: ["get", "list", "watch"]
|
|
---
|
|
# Keycloak role binding
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: keycloak-role-binding
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: keycloak
|
|
namespace: auth-system
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: keycloak
|
|
namespace: auth-system
|
|
roleRef:
|
|
kind: Role
|
|
name: keycloak
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
# Keycloak admin credentials
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: keycloak-admin-secret
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: keycloak-admin-creds
|
|
namespace: auth-system
|
|
type: Opaque
|
|
stringData:
|
|
password: "thefi9paechooh"
|
|
---
|
|
# Keycloak Helm release
|
|
apiVersion: helm.crossplane.io/v1beta1
|
|
kind: Release
|
|
metadata:
|
|
name: keycloak
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: helm-provider
|
|
forProvider:
|
|
chart:
|
|
name: keycloak
|
|
repository: https://codecentric.github.io/helm-charts
|
|
version: 18.10.0
|
|
namespace: auth-system
|
|
values:
|
|
image:
|
|
repository: quay.io/keycloak/keycloak
|
|
tag: 24.0.4
|
|
serviceAccount:
|
|
create: false
|
|
name: keycloak
|
|
args:
|
|
- start
|
|
- --db=postgres
|
|
- --hostname-strict=false
|
|
- --hostname-strict-https=false
|
|
- --proxy=edge
|
|
- --http-enabled=true
|
|
livenessProbe: |
|
|
httpGet:
|
|
path: /realms/master
|
|
port: http
|
|
initialDelaySeconds: 120
|
|
timeoutSeconds: 5
|
|
periodSeconds: 30
|
|
failureThreshold: 10
|
|
readinessProbe: |
|
|
httpGet:
|
|
path: /realms/master
|
|
port: http
|
|
initialDelaySeconds: 90
|
|
timeoutSeconds: 3
|
|
periodSeconds: 10
|
|
failureThreshold: 10
|
|
startupProbe: |
|
|
httpGet:
|
|
path: /realms/master
|
|
port: http
|
|
initialDelaySeconds: 60
|
|
timeoutSeconds: 3
|
|
periodSeconds: 5
|
|
failureThreshold: 30
|
|
extraEnv: |
|
|
- name: KEYCLOAK_ADMIN
|
|
value: admin
|
|
- name: KEYCLOAK_ADMIN_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: keycloak-admin-creds
|
|
key: password
|
|
- name: KC_DB
|
|
value: postgres
|
|
- name: KC_DB_URL
|
|
value: jdbc:postgresql://keycloak-postgresql:5432/keycloak
|
|
- name: KC_DB_USERNAME
|
|
value: keycloak
|
|
- name: KC_DB_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: keycloak-postgresql
|
|
key: postgresql-password
|
|
ingress:
|
|
enabled: false
|
|
---
|
|
# Keycloak SSL Certificate
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: keycloak-certificate
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: keycloak-tls
|
|
namespace: emissary
|
|
spec:
|
|
secretName: keycloak-tls
|
|
issuerRef:
|
|
name: letsencrypt-dns
|
|
kind: ClusterIssuer
|
|
dnsNames:
|
|
- auth.nge6.com
|
|
---
|
|
# Keycloak Ambassador Host
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: keycloak-host
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: getambassador.io/v3alpha1
|
|
kind: Host
|
|
metadata:
|
|
name: keycloak-host
|
|
namespace: emissary
|
|
annotations:
|
|
external-dns.ambassador-service: emissary-ingress.emissary.svc.cluster.local
|
|
spec:
|
|
hostname: auth.nge6.com
|
|
tlsSecret:
|
|
name: keycloak-tls
|
|
---
|
|
# Keycloak Ambassador Mapping
|
|
apiVersion: kubernetes.crossplane.io/v1alpha2
|
|
kind: Object
|
|
metadata:
|
|
name: keycloak-mapping
|
|
namespace: crossplane-system
|
|
spec:
|
|
providerConfigRef:
|
|
name: kubernetes-provider
|
|
forProvider:
|
|
manifest:
|
|
apiVersion: getambassador.io/v3alpha1
|
|
kind: Mapping
|
|
metadata:
|
|
name: keycloak-mapping
|
|
namespace: emissary
|
|
spec:
|
|
hostname: auth.nge6.com
|
|
prefix: /
|
|
service: keycloak-http.auth-system:80
|
|
timeout_ms: 30000
|
|
connect_timeout_ms: 10000
|