0dee133377
- Move Keycloak off Helm to plain Crossplane Object manifests (PostgreSQL + Keycloak deployment) - Add Vaultwarden SSO/OIDC config with Keycloak, fix Recreate deployment strategy for RWO volumes - Switch routing from Helm-based Pomerium to pomerium-allinone with all service routes - Deploy Argo Workflows (controller, server, CRDs, RBAC) with KEDA queue-depth autoscaling - Add Civo cluster autoscaler with pool-scaler for zero-to-one scale-up via Civo API - Add node-labeler to auto-tag nodes by pool membership for nodeSelector scheduling - Set up mTLS container registry at registry.nge6.com (Forgejo built-in, client cert required) - Add internal registry route (registry-internal.nge6.com) for in-cluster image pulls - Fix DNS records for new Emissary LB IP (212.2.241.28) - Fix CoreDNS crash from invalid custom config - Fix Emissary apiext expired webhook CA certificate Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
233 lines
5.3 KiB
YAML
233 lines
5.3 KiB
YAML
# keycloak-resources.yaml
|
|
# Create Kubernetes realm
|
|
apiVersion: realm.keycloak.crossplane.io/v1alpha1
|
|
kind: Realm
|
|
metadata:
|
|
name: kubernetes-realm
|
|
spec:
|
|
forProvider:
|
|
realm: kubernetes-realm
|
|
enabled: true
|
|
displayName: "Kubernetes Realm"
|
|
registrationAllowed: false
|
|
resetPasswordAllowed: true
|
|
rememberMe: true
|
|
loginWithEmailAllowed: true
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
# Create Pomerium client
|
|
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
|
|
kind: Client
|
|
metadata:
|
|
name: pomerium-client
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
clientId: pomerium
|
|
name: "Pomerium Identity-Aware Proxy"
|
|
description: "Client for Pomerium IAP"
|
|
enabled: true
|
|
accessType: CONFIDENTIAL
|
|
clientAuthenticatorType: client-secret
|
|
validRedirectUris:
|
|
- "https://authenticate.nge6.com/oauth2/callback"
|
|
standardFlowEnabled: true
|
|
directAccessGrantsEnabled: false
|
|
serviceAccountsEnabled: false
|
|
webOrigins:
|
|
- "+"
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
# Vaultwarden OIDC Client
|
|
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
|
|
kind: Client
|
|
metadata:
|
|
name: vaultwarden-client
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
clientId: vaultwarden
|
|
name: "Vaultwarden Password Manager"
|
|
description: "Client for Vaultwarden OIDC authentication"
|
|
enabled: true
|
|
accessType: CONFIDENTIAL
|
|
clientAuthenticatorType: client-secret
|
|
validRedirectUris:
|
|
- "https://vault.nge6.com/identity/connect/oidc-signin"
|
|
- "https://vault.nge6.com/sso-connector/oidc/callback"
|
|
standardFlowEnabled: true
|
|
directAccessGrantsEnabled: false
|
|
serviceAccountsEnabled: false
|
|
webOrigins:
|
|
- "https://vault.nge6.com"
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
# Create user groups
|
|
apiVersion: group.keycloak.crossplane.io/v1alpha1
|
|
kind: Group
|
|
metadata:
|
|
name: k8s-admins-group
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
name: k8s-admins
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
apiVersion: group.keycloak.crossplane.io/v1alpha1
|
|
kind: Group
|
|
metadata:
|
|
name: developers-group
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
name: developers
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
apiVersion: group.keycloak.crossplane.io/v1alpha1
|
|
kind: Group
|
|
metadata:
|
|
name: users-group
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
name: users
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
# Create roles
|
|
apiVersion: role.keycloak.crossplane.io/v1alpha1
|
|
kind: Role
|
|
metadata:
|
|
name: k8s-admin-role
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
name: k8s-admin
|
|
description: "Kubernetes cluster administrator"
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
apiVersion: role.keycloak.crossplane.io/v1alpha1
|
|
kind: Role
|
|
metadata:
|
|
name: developer-role
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
name: developer
|
|
description: "Developer access to specific namespaces"
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
apiVersion: role.keycloak.crossplane.io/v1alpha1
|
|
kind: Role
|
|
metadata:
|
|
name: user-role
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
name: user
|
|
description: "Basic user access"
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
# Create admin user
|
|
apiVersion: user.keycloak.crossplane.io/v1alpha1
|
|
kind: User
|
|
metadata:
|
|
name: admin-user
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
username: admin
|
|
enabled: true
|
|
emailVerified: true
|
|
firstName: Admin
|
|
lastName: User
|
|
email: admin@nge6.com
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
# Create eemoore user
|
|
apiVersion: user.keycloak.crossplane.io/v1alpha1
|
|
kind: User
|
|
metadata:
|
|
name: eemoore-user
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
username: eemoore
|
|
enabled: true
|
|
emailVerified: true
|
|
firstName: Eric
|
|
lastName: Moore
|
|
email: eemoore@nge6.com
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
# Group role assignments - assign roles to groups
|
|
apiVersion: group.keycloak.crossplane.io/v1alpha1
|
|
kind: Roles
|
|
metadata:
|
|
name: k8s-admins-roles
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
groupId: k8s-admins
|
|
roleIds: ["k8s-admin"]
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
apiVersion: group.keycloak.crossplane.io/v1alpha1
|
|
kind: Roles
|
|
metadata:
|
|
name: developers-roles
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
groupId: developers
|
|
roleIds: ["developer"]
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
apiVersion: group.keycloak.crossplane.io/v1alpha1
|
|
kind: Roles
|
|
metadata:
|
|
name: users-roles
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
groupId: users
|
|
roleIds: ["user"]
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
# User group memberships - add admin user to groups
|
|
apiVersion: group.keycloak.crossplane.io/v1alpha1
|
|
kind: Memberships
|
|
metadata:
|
|
name: k8s-admins-members
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
groupId: 98e13ab3-0001-4646-b097-ed52ee5baff4
|
|
members: ["admin", "eemoore"]
|
|
providerConfigRef:
|
|
name: keycloak-provider
|
|
---
|
|
apiVersion: group.keycloak.crossplane.io/v1alpha1
|
|
kind: Memberships
|
|
metadata:
|
|
name: users-members
|
|
spec:
|
|
forProvider:
|
|
realmId: kubernetes-realm
|
|
groupId: f87d1c8e-32ee-4f63-9584-7fce67313137
|
|
members: ["admin", "eemoore"]
|
|
providerConfigRef:
|
|
name: keycloak-provider
|