aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/namespaces/tooling
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/namespaces/tooling')
-rw-r--r--kubernetes/namespaces/tooling/keycloak/README.md7
-rw-r--r--kubernetes/namespaces/tooling/keycloak/configmap.yaml23
-rw-r--r--kubernetes/namespaces/tooling/keycloak/deployment.yaml51
-rw-r--r--kubernetes/namespaces/tooling/keycloak/ingress.yaml28
-rw-r--r--kubernetes/namespaces/tooling/keycloak/secrets.yamlbin0 -> 355 bytes
-rw-r--r--kubernetes/namespaces/tooling/keycloak/service.yaml13
6 files changed, 122 insertions, 0 deletions
diff --git a/kubernetes/namespaces/tooling/keycloak/README.md b/kubernetes/namespaces/tooling/keycloak/README.md
new file mode 100644
index 0000000..fec187d
--- /dev/null
+++ b/kubernetes/namespaces/tooling/keycloak/README.md
@@ -0,0 +1,7 @@
+# Keycloak
+
+This folder contains manifests for the deployment of
+[Keycloak](https://keycloak.org).
+
+We use this as an OpenID and SAML provider to authenticate to other services
+with SSO.
diff --git a/kubernetes/namespaces/tooling/keycloak/configmap.yaml b/kubernetes/namespaces/tooling/keycloak/configmap.yaml
new file mode 100644
index 0000000..b68ea27
--- /dev/null
+++ b/kubernetes/namespaces/tooling/keycloak/configmap.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: keycloak-config-env
+ namespace: tooling
+data:
+ # Set the hostname for outbound traffic and enable the feature to read that
+ # environment variable
+ KC_HOSTNAME: "id.pydis.wtf"
+ KC_FEATURES: "hostname:v2"
+
+ # Set the location of the TLS certificates generated by Vault
+ KC_HTTPS_CERTIFICATE_FILE: "/vault/secrets/server.crt"
+ KC_HTTPS_CERTIFICATE_KEY_FILE: "/vault/secrets/server.key"
+
+ # Proxy settings
+ KC_PROXY_HEADERS: "xforwarded"
+
+ # Database configuration
+ KC_DB: "postgres"
+ KC_DB_USERNAME: "keycloak"
+ KC_DB_URL_DATABASE: "keycloak"
+ KC_DB_URL_HOST: "lovelace.box.pydis.wtf"
diff --git a/kubernetes/namespaces/tooling/keycloak/deployment.yaml b/kubernetes/namespaces/tooling/keycloak/deployment.yaml
new file mode 100644
index 0000000..f5cdca3
--- /dev/null
+++ b/kubernetes/namespaces/tooling/keycloak/deployment.yaml
@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: keycloak
+ labels:
+ app: keycloak
+ namespace: tooling
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: keycloak
+ template:
+ metadata:
+ labels:
+ app: keycloak
+ annotations:
+ vault.hashicorp.com/agent-inject: "true"
+ vault.hashicorp.com/agent-init-first: "true"
+ vault.hashicorp.com/agent-inject-secret-server.key: "internal-tls/issue/internal-tls"
+ vault.hashicorp.com/agent-inject-template-server.key: |
+ {{- with secret "internal-tls/issue/internal-tls" "common_name=id.pydis.wtf" -}}
+ {{ .Data.private_key }}
+ {{- end }}
+ vault.hashicorp.com/agent-inject-secret-server.crt: "internal-tls/issue/internal-tls"
+ vault.hashicorp.com/agent-inject-template-server.crt: |
+ {{- with secret "internal-tls/issue/internal-tls" "common_name=id.pydis.wtf" -}}
+ {{ .Data.certificate }}
+ {{- end }}
+ vault.hashicorp.com/role: "internal-tls-issuer"
+ spec:
+ serviceAccountName: internal-tls-issuer
+ containers:
+ - name: keycloak
+ image: quay.io/keycloak/keycloak:25.0.1
+ args: ["start"]
+ envFrom:
+ - secretRef:
+ name: keycloak-secret-env
+ - configMapRef:
+ name: keycloak-config-env
+ ports:
+ - name: http
+ containerPort: 8080
+ - name: https
+ containerPort: 8443
+ readinessProbe:
+ httpGet:
+ path: /realms/master
+ port: 8443
+ scheme: HTTPS
diff --git a/kubernetes/namespaces/tooling/keycloak/ingress.yaml b/kubernetes/namespaces/tooling/keycloak/ingress.yaml
new file mode 100644
index 0000000..fcbf3de
--- /dev/null
+++ b/kubernetes/namespaces/tooling/keycloak/ingress.yaml
@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ annotations:
+ nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+ nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle"
+ nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+ nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+ nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
+ nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
+ name: keycloak
+ namespace: tooling
+spec:
+ tls:
+ - hosts:
+ - "*.pydis.wtf"
+ secretName: pydis.wtf-tls
+ rules:
+ - host: id.pydis.wtf
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: keycloak
+ port:
+ number: 8443
diff --git a/kubernetes/namespaces/tooling/keycloak/secrets.yaml b/kubernetes/namespaces/tooling/keycloak/secrets.yaml
new file mode 100644
index 0000000..1b1f09a
--- /dev/null
+++ b/kubernetes/namespaces/tooling/keycloak/secrets.yaml
Binary files differ
diff --git a/kubernetes/namespaces/tooling/keycloak/service.yaml b/kubernetes/namespaces/tooling/keycloak/service.yaml
new file mode 100644
index 0000000..5543bc5
--- /dev/null
+++ b/kubernetes/namespaces/tooling/keycloak/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: keycloak
+ namespace: tooling
+spec:
+ ports:
+ - name: http
+ port: 8080
+ - name: https
+ port: 8443
+ selector:
+ app: keycloak
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-31 18:04:14 +0000