From 159ec7232e3bd4a335561656d34d4f3c40452f93 Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Fri, 31 Jan 2025 08:38:15 +0100 Subject: [PATCH] Kustomize test and add cert issuer --- keycloak/base/keycloak-cert-issuer.yaml | 15 ++++ keycloak/base/keycloak-ingress.yaml | 2 + keycloak/base/kustomization.yaml | 5 +- .../overlays/test/keycloak-deployment.yaml | 85 +++++++++++++++++++ keycloak/overlays/test/keycloak-ingress.yaml | 23 +++++ keycloak/overlays/test/kustomization.yaml | 3 + 6 files changed, 131 insertions(+), 2 deletions(-) create mode 100644 keycloak/base/keycloak-cert-issuer.yaml create mode 100644 keycloak/overlays/test/keycloak-deployment.yaml create mode 100644 keycloak/overlays/test/keycloak-ingress.yaml diff --git a/keycloak/base/keycloak-cert-issuer.yaml b/keycloak/base/keycloak-cert-issuer.yaml new file mode 100644 index 0000000..da6abad --- /dev/null +++ b/keycloak/base/keycloak-cert-issuer.yaml @@ -0,0 +1,15 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: letsencrypt +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: noc@sunet.se + privateKeySecretRef: + name: letsencrypt + solvers: + - http01: + ingress: + class: nginx + diff --git a/keycloak/base/keycloak-ingress.yaml b/keycloak/base/keycloak-ingress.yaml index 73ea663..f36176e 100644 --- a/keycloak/base/keycloak-ingress.yaml +++ b/keycloak/base/keycloak-ingress.yaml @@ -3,6 +3,8 @@ kind: Ingress metadata: name: keycloak namespace: keycloak + annotations: + cert-manager.io/issuer: "letsencrypt" spec: tls: - hosts: diff --git a/keycloak/base/kustomization.yaml b/keycloak/base/kustomization.yaml index 081ebdc..abcf5e1 100644 --- a/keycloak/base/kustomization.yaml +++ b/keycloak/base/kustomization.yaml @@ -2,7 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: keycloak resources: -- keycloak-pvc.yaml +- keycloak-cert-issuer.yaml - keycloak-deployment.yaml -- keycloak-service.yaml - keycloak-ingress.yaml +- keycloak-pvc.yaml +- keycloak-service.yaml diff --git a/keycloak/overlays/test/keycloak-deployment.yaml b/keycloak/overlays/test/keycloak-deployment.yaml new file mode 100644 index 0000000..6d512b2 --- /dev/null +++ b/keycloak/overlays/test/keycloak-deployment.yaml @@ -0,0 +1,85 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: keycloak + namespace: keycloak + labels: + app: keycloak +spec: + replicas: 1 + selector: + matchLabels: + app: keycloak + template: + metadata: + labels: + app: keycloak + spec: + containers: + - name: keycloak + # image: quay.io/keycloak/keycloak:23.0.1 + image: quay.io/keycloak/keycloak:26.1 + args: + - "start" + - "--hostname=https://keycloak-test.streams.sunet.se" + - "--hostname-admin=https://keycloak-test.streams.sunet.se" + - "--verbose" + env: + - name: KC_HTTP_ENABLED + value: "true" + - name: KC_HOSTNAME + value: "https://keycloak-test.streams.sunet.se" + - name: KC_HOSTNAME_ADMIN + value: "https://keycloak-test.streams.sunet.se" + - name: KC_HOSTNAME_STRICT + value: "false" + - name: KC_HOSTNAME_STRICT_HTTPS + value: "false" + - name: KEYCLOAK_USER + value: admin + - name: KEYCLOAK_PASSWORD + valueFrom: + secretKeyRef: + name: keycloak-admin-secret + key: password + - name: KEYCLOAK_ADMIN + value: "admin" + - name: KEYCLOAK_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: keycloak-admin-secret + key: password + - name: KC_HEALTH_ENABLED + value: "true" + - name: KC_PROXY + value: "edge" + ports: + - name: http + containerPort: 8080 + # - name: https + # containerPort: 8443 + # readinessProbe: + # httpGet: + # path: /health/ready + # port: 9000 + # initialDelaySeconds: 5 # Delay before the probe starts + # periodSeconds: 15 + # timeoutSeconds: 3 + # successThreshold: 1 # Number of successful probes to consider the pod ready + # failureThreshold: 5 + volumeMounts: + # - mountPath: /opt/keycloak/data/h2/ + # name: storage + - name: keycloak-tls-secret + mountPath: /etc/ssl/certs + readOnly: true + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + volumes: + - name: storage + persistentVolumeClaim: + claimName: keycloak-pvc + - name: keycloak-tls-secret + secret: + secretName: keycloak-tls-secret diff --git a/keycloak/overlays/test/keycloak-ingress.yaml b/keycloak/overlays/test/keycloak-ingress.yaml new file mode 100644 index 0000000..8c05488 --- /dev/null +++ b/keycloak/overlays/test/keycloak-ingress.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: keycloak + namespace: keycloak + annotations: + cert-manager.io/issuer: "letsencrypt" +spec: + tls: + - hosts: + - keycloak-test.streams.sunet.se + secretName: keycloak-tls + rules: + - host: keycloak-test.streams.sunet.se + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: keycloak + port: + number: 8080 diff --git a/keycloak/overlays/test/kustomization.yaml b/keycloak/overlays/test/kustomization.yaml index ecb6313..29c6029 100644 --- a/keycloak/overlays/test/kustomization.yaml +++ b/keycloak/overlays/test/kustomization.yaml @@ -5,3 +5,6 @@ commonLabels: env: test resources: - ../../base/ +patches: + - path: keycloak-ingress.yml + - path: keycloak-deployment.yml