From cad2dadda1316c0605db6ac1e8a4fb6eb656579b Mon Sep 17 00:00:00 2001
From: Patrick Spek <p.spek@tyil.nl>
Date: Thu, 3 Aug 2023 10:02:57 +0200
Subject: Add keycloak deployment

---
 .../oolah/auth-system/keycloak/deployment.yaml     | 57 ++++++++++++++++++++++
 .../oolah/auth-system/keycloak/ingress.yaml        | 31 ++++++++++++
 .../oolah/auth-system/keycloak/service.yaml        | 22 +++++++++
 .../treafik/middleware-headers-keycloak.yaml       | 12 +++++
 4 files changed, 122 insertions(+)
 create mode 100644 data.d/k3s-master/manifests.d/oolah/auth-system/keycloak/deployment.yaml
 create mode 100644 data.d/k3s-master/manifests.d/oolah/auth-system/keycloak/ingress.yaml
 create mode 100644 data.d/k3s-master/manifests.d/oolah/auth-system/keycloak/service.yaml
 create mode 100644 data.d/k3s-master/manifests.d/oolah/kube-system/treafik/middleware-headers-keycloak.yaml

diff --git a/data.d/k3s-master/manifests.d/oolah/auth-system/keycloak/deployment.yaml b/data.d/k3s-master/manifests.d/oolah/auth-system/keycloak/deployment.yaml
new file mode 100644
index 0000000..cb9c1ad
--- /dev/null
+++ b/data.d/k3s-master/manifests.d/oolah/auth-system/keycloak/deployment.yaml
@@ -0,0 +1,57 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keycloak
+  namespace: auth-system
+  labels:
+    app.kubernetes.io/created-by: tyil
+    app.kubernetes.io/managed-by: manual
+    app.kubernetes.io/name: keycloak
+    app.kubernetes.io/part-of: auth-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/created-by: tyil
+      app.kubernetes.io/managed-by: manual
+      app.kubernetes.io/name: keycloak
+      app.kubernetes.io/part-of: auth-system
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/created-by: tyil
+        app.kubernetes.io/managed-by: manual
+        app.kubernetes.io/name: keycloak
+        app.kubernetes.io/part-of: auth-system
+    spec:
+      containers:
+      - name: keycloak
+        image: quay.io/keycloak/keycloak:21.0.2
+        args: ["start-dev"]
+        env:
+        - name: KEYCLOAK_ADMIN
+          valueFrom:
+            secretKeyRef:
+              name: keycloak-credentials
+              key: username
+        - name: KEYCLOAK_ADMIN_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: keycloak-credentials
+              key: password
+        - name: KC_PROXY
+          value: "edge"
+        ports:
+        - name: http
+          containerPort: 8080
+        readinessProbe:
+          httpGet:
+            path: /realms/master
+            port: 8080
+        resources:
+          requests:
+            memory: 368Mi
+          limits:
+            memory: 512Mi
+...
diff --git a/data.d/k3s-master/manifests.d/oolah/auth-system/keycloak/ingress.yaml b/data.d/k3s-master/manifests.d/oolah/auth-system/keycloak/ingress.yaml
new file mode 100644
index 0000000..37bdee1
--- /dev/null
+++ b/data.d/k3s-master/manifests.d/oolah/auth-system/keycloak/ingress.yaml
@@ -0,0 +1,31 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: keycloak
+  namespace: auth-system
+  labels:
+    app.kubernetes.io/created-by: tyil
+    app.kubernetes.io/managed-by: manual
+    app.kubernetes.io/name: keycloak
+    app.kubernetes.io/part-of: auth-system
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-production"
+spec:
+  ingressClassName: "traefik"
+  tls:
+  - hosts:
+    - keycloak.tyil.nl
+    secretName: tls-nl.tyil.keycloak
+  rules:
+  - host: keycloak.tyil.nl
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: keycloak
+            port:
+              number: 80
+...
diff --git a/data.d/k3s-master/manifests.d/oolah/auth-system/keycloak/service.yaml b/data.d/k3s-master/manifests.d/oolah/auth-system/keycloak/service.yaml
new file mode 100644
index 0000000..0ee669b
--- /dev/null
+++ b/data.d/k3s-master/manifests.d/oolah/auth-system/keycloak/service.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: keycloak
+  namespace: auth-system
+  labels:
+    app.kubernetes.io/created-by: tyil
+    app.kubernetes.io/managed-by: manual
+    app.kubernetes.io/name: keycloak
+    app.kubernetes.io/part-of: auth-system
+spec:
+  selector:
+    app.kubernetes.io/created-by: tyil
+    app.kubernetes.io/managed-by: manual
+    app.kubernetes.io/name: keycloak
+    app.kubernetes.io/part-of: auth-system
+  ports:
+  - name: http
+    port: 80
+    targetPort: 8080
+...
diff --git a/data.d/k3s-master/manifests.d/oolah/kube-system/treafik/middleware-headers-keycloak.yaml b/data.d/k3s-master/manifests.d/oolah/kube-system/treafik/middleware-headers-keycloak.yaml
new file mode 100644
index 0000000..d8e4001
--- /dev/null
+++ b/data.d/k3s-master/manifests.d/oolah/kube-system/treafik/middleware-headers-keycloak.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: headers-keycloak
+  namespace: kube-system
+spec:
+  headers:
+    stsPreload: true
+    forceSTSHeader: true
+    contentSecurityPolicy: "default-src 'self'; style-src 'unsafe-inline'"
+...
-- 
cgit v1.1