add keycloak

This commit is contained in:
ace 2024-05-06 03:00:10 +03:00
parent 14c3ebe2cc
commit 3ac1b27b4c
Signed by: ace
GPG Key ID: 2C08973DD37A76FD
6 changed files with 244 additions and 3 deletions

View File

@ -0,0 +1,46 @@
keycloak_values: {}
keycloak_realms: {}
# - id: myrealm
# realm: myrealm
keycloak_clients: {}
# - client_id: gitea
# realm: myrealm
# public_client: true
# - client_id: gitea
# realm: myrealm
# public_client: false
keycloak_clients_default_protocol_mappings: {}
# - config:
# access.token.claim: true
# claim.name: "groups"
# id.token.claim: true
# jsonType.label: String
# user.attribute: groups
# userinfo.token.claim: true
# name: groups
# protocol: openid-connect
# protocolMapper: oidc-usermodel-attribute-mapper
keycloak_groups: {}
# - name: admins
# realm: myrealm
# - name: devops
# realm: myrealm
keycloak_users: {}
# - username: John Doe
# realm: myrealm
# firstName: John
# lastName: Doe
# credentials:
# - type: password
# value: my_very_strong_password
# temporary: true
# groups:
# - name: admins
# state: present
# - name: devops
# state: present

View File

@ -0,0 +1,5 @@
---
- hosts: k8s
connection: local
roles:
- keycloak

View File

@ -19,3 +19,9 @@
name: minio name: minio
when: minio_enabled | default(true) when: minio_enabled | default(true)
tags: minio tags: minio
- name: Deploy Keycloak
import_role:
name: keycloak
when: keycloak_enabled | default(false)
tags: keycloak

View File

@ -0,0 +1,63 @@
keycloak_enabled: true
keycloak_publish: false
keycloak_console_publish: false
keycloak_use_external_db: true
keycloak_chart_ref: "codecentric/keycloakx"
keycloak_short_name: "keycloak"
keycloak_console_short_name: "console"
keycloak_default_values:
command:
- /opt/keycloak/bin/kc.sh
- start
- --http-enabled=true
- --http-port=8080
- --hostname={{ keycloak_short_name }}.{{ domain }}
- --hostname-strict=false
- --hostname-strict-https=false
database:
database: "keycloak"
hostname: "{{ postgres_db_team | default(namespace) }}-postgres.{{ postgres_db_namespace | default(namespace) }}"
username: "{{ keycloak_db_username | default(omit) }}"
password: "{{ keycloak_db_password | default(omit) }}"
port: 5432
vendor: postgres
extraEnv: |
- name: KEYCLOAK_ADMIN
value: admin
- name: KEYCLOAK_ADMIN_PASSWORD
value: {{ keycloak_admin_password }}
- name: JAVA_OPTS_APPEND
value: >-
-Djgroups.dns.query={{ keycloak_short_name }}-keycloakx-headless
ingress:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
enabled: true
ingressClassName: "{{ external_ingress_class if minio_publish else internal_ingress_class }}"
rules:
- host: "{{ keycloak_short_name }}.{{ domain }}"
paths:
- path: /auth/
pathType: Prefix
servicePort: http
tls:
- hosts:
- "{{ keycloak_short_name }}.{{ domain }}"
secretName: "{{ keycloak_short_name }}.{{ domain }}-tls"
keycloak_realms: {}
keycloak_clients: {}
keycloak_clients_default_protocol_mappings: {}
# - config:
# access.token.claim: true
# claim.name: "groups"
# id.token.claim: true
# jsonType.label: String
# user.attribute: groups
# userinfo.token.claim: true
# name: groups
# protocol: openid-connect
# protocolMapper: oidc-usermodel-attribute-mapper
keycloak_users: {}
keycloak_groups: {}

View File

@ -0,0 +1,96 @@
- name: Import secret.yaml to obtain secrets
include_tasks: secrets.yaml
when:
- keycloak_use_external_db
- postgres_enabled is defined and postgres_enabled
- set_fact:
keycloak_combined_values: "{{ keycloak_default_values | combine(keycloak_values, recursive=true) }}"
- name: Deploy Keycloak
kubernetes.core.helm:
release_namespace: "{{ keycloak_namespace | default(namespace) }}"
release_name: "{{ keycloak_name | default('keycloak') }}"
chart_ref: "{{ keycloak_chart_ref }}"
chart_version: "{{ keycloak_version | default(omit) }}"
release_values: "{{ keycloak_combined_values | from_yaml }}"
- name: Wait Keycloak until HTTP status is 200
uri:
url: "https://{{ keycloak_short_name }}.{{ domain }}/auth"
return_content: yes
validate_certs: no
status_code:
- 200
until: uri_output.status == 200
retries: 24 # Retries for 24 * 5 seconds = 120 seconds = 2 minutes
delay: 5 # Every 5 seconds
register: uri_output
- name: Create or update Keycloak client, authentication with credentials
community.general.keycloak_client:
client_id: admin-cli
auth_keycloak_url: "https://{{ keycloak_short_name }}.{{ domain }}/auth"
auth_realm: master
auth_username: admin
auth_password: "{{ keycloak_admin_password }}"
state: present
- name: Create or update Keycloak realms
community.general.keycloak_realm:
auth_client_id: admin-cli
auth_keycloak_url: "https://{{ keycloak_short_name }}.{{ domain }}/auth"
auth_realm: master
auth_username: admin
auth_password: "{{ keycloak_admin_password }}"
id: "{{ item.id }}"
realm: "{{ item.realm }}"
state: "{{ item.state | default('present') }}"
enabled: "{{ item.enabled | default(true) }}"
loop: "{{ keycloak_realms }}"
- name: Create or update Keycloak clients
community.general.keycloak_client:
auth_client_id: admin-cli
auth_keycloak_url: "https://{{ keycloak_short_name }}.{{ domain }}/auth"
auth_realm: master
auth_username: admin
auth_password: "{{ keycloak_admin_password }}"
client_id: "{{ item.client_id + '-public' if item.public_client else item.client_id }}"
realm: "{{ item.realm }}"
name: "{{ \"'${client_\" + item.client_id + \"'\" if item.public_client else \"'${client_\" + item.client_id + \"_public'\" }}"
protocol: openid-connect
public_client: "{{ item.public_client | default(false) }}"
standard_flow_enabled: "{{ item.standard_flow_enabled | default(true) }}"
implicit_flow_enabled: "{{ item.implicit_flow_enabled | default(true) }}"
direct_access_grants_enabled: "{{ item.direct_access_grants_enabled | default(true) }}"
state: "{{ item.state | default('present') }}"
protocol_mappers: "{{ keycloak_clients_default_protocol_mappings }}"
loop: "{{ keycloak_clients }}"
- name: Create Keycloak groups
community.general.keycloak_group:
auth_client_id: admin-cli
auth_keycloak_url: "https://{{ keycloak_short_name }}.{{ domain }}/auth"
auth_realm: master
auth_username: admin
auth_password: "{{ keycloak_admin_password }}"
realm: "{{ item.realm }}"
name: "{{ item.name }}"
state: "{{ item.state | default('present') }}"
loop: "{{ keycloak_groups }}"
- name: Create Keycloak users
community.general.keycloak_user:
auth_client_id: admin-cli
auth_keycloak_url: "https://{{ keycloak_short_name }}.{{ domain }}/auth"
auth_realm: master
auth_username: admin
auth_password: "{{ keycloak_admin_password }}"
realm: "{{ item.realm }}"
state: "{{ item.state | default('present') }}"
username: "{{ item.username }}"
firstName: "{{ item.firstName }}"
lastName: "{{ item.lastName }}"
email: "{{ item.email | default( item.username + '@' + domain) }}"
enabled: "{{ item.enabled | default(true) }}"
emailVerified: "{{ item.emailVerified | default(true) }}"
credentials: "{{ item.credentials }}"
groups: "{{ item.groups }}"
loop: "{{ keycloak_users }}"

View File

@ -0,0 +1,25 @@
- block:
- name: Set DB namespace for secret lookup
set_fact:
db_namespace: "{{ keycloak_db_namespace | default(postgres_db_namespace) | default(postgres_namespace) | default(postgres_operator_namespace) | default(namespace) }}"
- name: Set DB secret name for lookup
set_fact:
db_secret_name: "keycloak.{{ postgres_db_team | default(namespace) }}-postgres.credentials.postgresql.acid.zalan.do"
- name: Lookup Keycloak DB secret
set_fact:
keycloak_db_secret: "{{ lookup('k8s', kind='Secret', namespace=db_namespace, resource_name=db_secret_name) }}"
- debug:
msg: "{{ keycloak_db_secret }}"
verbosity: 2
- name: Set Keycloak DB username
set_fact:
keycloak_db_username: "{{ keycloak_db_secret.data.username | b64decode }}"
- name: Set Keycloak DB password
set_fact:
keycloak_db_password: "{{ keycloak_db_secret.data.password | b64decode }}"