Add deployment of Keycloak

6 files changed, 122 insertions, 0 deletions

diff --git a/kubernetes/namespaces/tooling/keycloak/README.md b/kubernetes/namespaces/tooling/keycloak/README.md
new file mode 100644
index 0000000..fec187d
--- /dev/null
+++ b/kubernetes/namespaces/tooling/keycloak/README.md
@@ -0,0 +1,7 @@
+# Keycloak
+
+This folder contains manifests for the deployment of
+[Keycloak](https://keycloak.org).
+
+We use this as an OpenID and SAML provider to authenticate to other services
+with SSO.
diff --git a/kubernetes/namespaces/tooling/keycloak/configmap.yaml b/kubernetes/namespaces/tooling/keycloak/configmap.yaml
new file mode 100644
index 0000000..b68ea27
--- /dev/null
+++ b/kubernetes/namespaces/tooling/keycloak/configmap.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: keycloak-config-env
+  namespace: tooling
+data:
+  # Set the hostname for outbound traffic and enable the feature to read that
+  # environment variable
+  KC_HOSTNAME: "id.pydis.wtf"
+  KC_FEATURES: "hostname:v2"
+
+  # Set the location of the TLS certificates generated by Vault
+  KC_HTTPS_CERTIFICATE_FILE: "/vault/secrets/server.crt"
+  KC_HTTPS_CERTIFICATE_KEY_FILE:  "/vault/secrets/server.key"
+
+  # Proxy settings
+  KC_PROXY_HEADERS: "xforwarded"
+
+  # Database configuration
+  KC_DB: "postgres"
+  KC_DB_USERNAME: "keycloak"
+  KC_DB_URL_DATABASE: "keycloak"
+  KC_DB_URL_HOST: "lovelace.box.pydis.wtf"
diff --git a/kubernetes/namespaces/tooling/keycloak/deployment.yaml b/kubernetes/namespaces/tooling/keycloak/deployment.yaml
new file mode 100644
index 0000000..f5cdca3
--- /dev/null
+++ b/kubernetes/namespaces/tooling/keycloak/deployment.yaml
@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keycloak
+  labels:
+    app: keycloak
+  namespace: tooling
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: keycloak
+  template:
+    metadata:
+      labels:
+        app: keycloak
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/agent-init-first: "true"
+        vault.hashicorp.com/agent-inject-secret-server.key: "internal-tls/issue/internal-tls"
+        vault.hashicorp.com/agent-inject-template-server.key: |
+          {{- with secret "internal-tls/issue/internal-tls" "common_name=id.pydis.wtf" -}}
+          {{ .Data.private_key }}
+          {{- end }}
+        vault.hashicorp.com/agent-inject-secret-server.crt: "internal-tls/issue/internal-tls"
+        vault.hashicorp.com/agent-inject-template-server.crt: |
+          {{- with secret "internal-tls/issue/internal-tls" "common_name=id.pydis.wtf" -}}
+          {{ .Data.certificate }}
+          {{- end }}
+        vault.hashicorp.com/role: "internal-tls-issuer"
+    spec:
+      serviceAccountName: internal-tls-issuer
+      containers:
+        - name: keycloak
+          image: quay.io/keycloak/keycloak:25.0.1
+          args: ["start"]
+          envFrom:
+            - secretRef:
+                name: keycloak-secret-env
+            - configMapRef:
+                name: keycloak-config-env
+          ports:
+            - name: http
+              containerPort: 8080
+            - name: https
+              containerPort: 8443
+          readinessProbe:
+            httpGet:
+              path: /realms/master
+              port: 8443
+              scheme: HTTPS
diff --git a/kubernetes/namespaces/tooling/keycloak/ingress.yaml b/kubernetes/namespaces/tooling/keycloak/ingress.yaml
new file mode 100644
index 0000000..fcbf3de
--- /dev/null
+++ b/kubernetes/namespaces/tooling/keycloak/ingress.yaml
@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle"
+    nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
+    nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
+  name: keycloak
+  namespace: tooling
+spec:
+  tls:
+  - hosts:
+      - "*.pydis.wtf"
+    secretName: pydis.wtf-tls
+  rules:
+  - host: id.pydis.wtf
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: keycloak
+            port:
+              number: 8443
diff --git a/kubernetes/namespaces/tooling/keycloak/secrets.yaml b/kubernetes/namespaces/tooling/keycloak/secrets.yaml
new file mode 100644
index 0000000..1b1f09a
--- /dev/null
+++ b/kubernetes/namespaces/tooling/keycloak/secrets.yaml
diff --git a/kubernetes/namespaces/tooling/keycloak/service.yaml b/kubernetes/namespaces/tooling/keycloak/service.yaml
new file mode 100644
index 0000000..5543bc5
--- /dev/null
+++ b/kubernetes/namespaces/tooling/keycloak/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak
+  namespace: tooling
+spec:
+  ports:
+    - name: http
+      port: 8080
+    - name: https
+      port: 8443
+  selector:
+    app: keycloak