(ruka) add keycloak

Author: jhoblitt

fleet/lib/keycloak-pg/cluster-keycloak-pg.yaml

@@ -0,0 +1,48 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: keycloak-pg
+spec:
+  imageName: ghcr.io/cloudnative-pg/postgresql:15
+
+  instances: 3
+
+  bootstrap:
+    initdb:
+      database: keycloak
+      owner: keycloak
+      secret:
+        name: keycloak-pg
+
+  postgresql:
+    parameters:
+      max_connections: "500"
+      shared_buffers: 256MB
+      idle_session_timeout: 4h
+    pg_hba:
+      - host replication postgres all md5
+      - host all all 139.229.134.0/23 md5
+      - host all all 139.229.136.0/21 md5
+      - host all all 139.229.144.0/20 md5
+      - host all all 139.229.160.0/19 md5
+      - host all all 139.229.192.0/18 md5
+      - host all all 140.252.146.0/23 md5
+
+  enableSuperuserAccess: true
+  superuserSecret:
+    name: keycloak-pg-superuser
+
+  storage:
+    size: 1Gi
+
+  monitoring:
+    enablePodMonitor: true
+
+  resources:
+    limits:
+      cpu: "1"
+      memory: 1Gi
+    requests:
+      cpu: 500m
+      memory: 1Gi

fleet/lib/keycloak-pg/cronjob-keycloak-pg-backup.yaml

@@ -0,0 +1,37 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: keycloak-pg-backup
+spec:
+  concurrencyPolicy: Forbid
+  schedule: "0 12,21 * * *" #9AM CLT - 6PM CLT
+  jobTemplate:
+    spec:
+      ttlSecondsAfterFinished: 172800
+      template:
+        spec:
+          activeDeadlineSeconds: 3600
+          containers:
+            - name: cnpg-backup
+              image: docker.io/lsstit/cnpg-backup:0.5
+              volumeMounts:
+                - name: ephemeral
+                  mountPath: /tmp
+              imagePullPolicy: IfNotPresent
+              envFrom:
+                - secretRef:
+                    name: keycloak-pg-backup
+              env:
+                - name: HOST
+                  value: cnpg-loadbalancer.cloudnativepg.svc.cluster.local
+          volumes:
+            - name: ephemeral
+              ephemeral:
+                volumeClaimTemplate:
+                  spec:
+                    accessModes: [ReadWriteOnce]
+                    resources:
+                      requests:
+                        storage: 5Gi
+          restartPolicy: OnFailure

fleet/lib/keycloak-pg/externalsecret-keycloak-pg.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: keycloak-pg
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    template:
+      type: kubernetes.io/basic-auth
+  data:
+    - secretKey: username
+      remoteRef:
+        key: &item keycloak-pg
+        property: username
+    - secretKey: password
+      remoteRef:
+        key: *item
+        property: password

fleet/lib/keycloak-pg/fleet.yaml

@@ -0,0 +1,19 @@
+---
+defaultNamespace: &name keycloak-pg
+namespaceLabels:
+  lsst.io/discover: "true"
+labels:
+  bundle: *name
+helm:
+  releaseName: *name
+  waitForJobs: true
+dependsOn:
+  - selector:
+      matchLabels:
+        bundle: cnpg-system
+targetCustomizations:
+  - name: ruka
+    clusterName: ruka
+    yaml:
+      overlays:
+        - ruka

fleet/lib/keycloak-pg/overlays/ruka/externalsecret-keycloak-pg-backup.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: keycloak-pg-backup
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  data:
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        key: cnpg-aws-creds-ruka
+        property: username
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        key: cnpg-aws-creds-ruka
+        property: password
+    - secretKey: AWS_ACCESS_BUCKET
+      remoteRef:
+        key: cnpg-aws-creds-ruka
+        property: website

fleet/lib/keycloak-pg/overlays/ruka/externalsecret-keycloak-pg-superuser.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: keycloak-pg-superuser
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    template:
+      type: kubernetes.io/basic-auth
+  data:
+    - secretKey: username
+      remoteRef:
+        key: cnpg-cluster-superuser-ruka
+        property: username
+    - secretKey: password
+      remoteRef:
+        key: cnpg-cluster-superuser-ruka
+        property: password

fleet/lib/keycloak-pg/overlays/ruka/service-keycloak-pg.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak-pg
+  labels:
+    cnpg.io/cluster: keycloak-pg
+  annotations:
+    metallb.universe.tf/loadBalancerIPs: 139.229.134.152
+spec:
+  ports:
+    - name: postgres
+      port: 5432
+      protocol: TCP
+  selector:
+    cnpg.io/cluster: keycloak-pg
+    role: primary
+  type: LoadBalancer

fleet/lib/keycloak-pre/externalsecret-keycloak-admin.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: keycloak-admin
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  data:
+    - secretKey: username
+      remoteRef:
+        key: &item keycloak-admin
+        property: username
+    - secretKey: password
+      remoteRef:
+        key: *item
+        property: password

fleet/lib/keycloak-pre/externalsecret-keycloak-pg.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: keycloak-pg
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  data:
+    - secretKey: username
+      remoteRef:
+        key: &item keycloak-pg
+        property: username
+    - secretKey: password
+      remoteRef:
+        key: *item
+        property: password

fleet/lib/keycloak-pre/fleet.yaml

@@ -0,0 +1,9 @@
+---
+defaultNamespace: keycloak
+labels:
+  bundle: &name keycloak-pre
+namespaceLabels:
+  lsst.io/discover: "true"
+helm:
+  releaseName: *name
+  waitForJobs: true