eemoore/infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infrastructure/auth/keycloak.yaml
Infrastructure Admin d770504fa5 Initial infrastructure as code deployment 
This commit includes the complete Kubernetes infrastructure deployment for NGE6:

- Crossplane setup with providers (Kubernetes, Helm, Civo)
- Ambassador/Emissary ingress controller with SSL termination
- Cert-manager with Let's Encrypt and Gandi webhook for DNS01 challenges
- ExternalDNS integration with Gandi for automatic DNS management
- Keycloak authentication server with PostgreSQL
- Pomerium identity-aware proxy with OIDC integration
- Forgejo Git server with persistent storage and authentication
- Spire/SPIFFE for secure service communication

All services are deployed using Infrastructure as Code principles with
Crossplane managing Kubernetes and Helm resources declaratively.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-23 08:43:06 -04:00

173 lines
4 KiB
YAML
Raw Blame History

# auth-system namespace
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: auth-system-namespace
namespace: crossplane-system
spec:
providerConfigRef:
name: kubernetes-provider
forProvider:
manifest:
apiVersion: v1
kind: Namespace
metadata:
name: auth-system
---
# Keycloak service account
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: keycloak-service-account
namespace: crossplane-system
spec:
providerConfigRef:
name: kubernetes-provider
forProvider:
manifest:
apiVersion: v1
kind: ServiceAccount
metadata:
name: keycloak
namespace: auth-system
---
# Keycloak role
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: keycloak-role
namespace: crossplane-system
spec:
providerConfigRef:
name: kubernetes-provider
forProvider:
manifest:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: keycloak
namespace: auth-system
rules:
- apiGroups: [""]
resources: ["secrets", "configmaps", "pods"]
verbs: ["get", "list", "watch"]
---
# Keycloak role binding
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: keycloak-role-binding
namespace: crossplane-system
spec:
providerConfigRef:
name: kubernetes-provider
forProvider:
manifest:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: keycloak
namespace: auth-system
subjects:
- kind: ServiceAccount
name: keycloak
namespace: auth-system
roleRef:
kind: Role
name: keycloak
apiGroup: rbac.authorization.k8s.io
---
# Keycloak admin credentials
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
name: keycloak-admin-secret
namespace: crossplane-system
spec:
providerConfigRef:
name: kubernetes-provider
forProvider:
manifest:
apiVersion: v1
kind: Secret
metadata:
name: keycloak-admin-creds
namespace: auth-system
type: Opaque
stringData:
password: "thefi9paechooh"
---
# Keycloak Helm release
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
name: keycloak
namespace: crossplane-system
spec:
providerConfigRef:
name: helm-provider
forProvider:
chart:
name: keycloak
repository: https://codecentric.github.io/helm-charts
version: 18.10.0
namespace: auth-system
values:
image:
repository: quay.io/keycloak/keycloak
tag: 24.0.4
serviceAccount:
create: false
name: keycloak
args:
- start
- --db=postgres
- --hostname-strict=false
- --hostname-strict-https=false
- --proxy=edge
- --http-enabled=true
livenessProbe: |
httpGet:
path: /realms/master
port: http
initialDelaySeconds: 120
timeoutSeconds: 5
periodSeconds: 30
failureThreshold: 10
readinessProbe: |
httpGet:
path: /realms/master
port: http
initialDelaySeconds: 90
timeoutSeconds: 3
periodSeconds: 10
failureThreshold: 10
startupProbe: |
httpGet:
path: /realms/master
port: http
initialDelaySeconds: 60
timeoutSeconds: 3
periodSeconds: 5
failureThreshold: 30
extraEnv: |
- name: KEYCLOAK_ADMIN
value: admin
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-admin-creds
key: password
- name: KC_DB
value: postgres
- name: KC_DB_URL
value: jdbc:postgresql://keycloak-postgresql:5432/keycloak
- name: KC_DB_USERNAME
value: keycloak
- name: KC_DB_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-postgresql
key: postgresql-password
ingress:
enabled: false
Reference in a new issue View git blame Copy permalink