diff --git a/apps/prod-keycloak.yaml b/apps/prod-keycloak.yaml new file mode 100644 index 00000000..8a95e8a7 --- /dev/null +++ b/apps/prod-keycloak.yaml @@ -0,0 +1,35 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: prod-keycloak + namespace: argocd + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: aux + destination: + server: https://kubernetes.default.svc + namespace: keycloak + syncPolicy: + managedNamespaceMetadata: + labels: + component: aux + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + automated: + prune: true + selfHeal: true + sources: + - repoURL: https://charts.bitnami.com/bitnami + targetRevision: 24.3.1 + chart: keycloak + helm: + valueFiles: + - $values/values/keycloak/values-prod.yaml + - repoURL: https://gitlab.com/oceanbox/manifests.git + targetRevision: nixidy + ref: values + diff --git a/values/keycloak/values-prod.yaml b/values/keycloak/values-prod.yaml new file mode 100644 index 00000000..799de727 --- /dev/null +++ b/values/keycloak/values-prod.yaml @@ -0,0 +1,96 @@ +replicaCount: 2 + +production: true + +proxy: edge + +auth: + adminPassword: en to tre fire + adminUser: admin + existingSecret: "" + managementPassword: "" + managementUser: manager + +postgresql: + enabled: false + +externalDatabase: + host: prod-keycloak-rw + port: 5432 + database: app + existingSecret: prod-keycloak-ap + existingSecretUserKey: username + existingSecretPasswordKey: password + +extraVolumeMounts: +- mountPath: /opt/bitnami/keycloak/themes/oceanbox + name: theme + +extraVolumes: +- emptyDir: {} + name: theme + +ingress: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/backend-protocol: HTTP + nginx.ingress.kubernetes.io/proxy-buffer-size: 128k + nginx.ingress.kubernetes.io/ssl-redirect: "true" + enabled: true + hostname: auth.oceanbox.io + ingressClassName: nginx + path: / + pathType: ImplementationSpecific + selfSigned: false + servicePort: http + tls: true + +adminIngress: + enabled: false + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/backend-protocol: HTTP + nginx.ingress.kubernetes.io/proxy-buffer-size: 128k + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + hostname: auth.adm.oceanbox.io + ingressClassName: nginx + path: / + pathType: ImplementationSpecific + selfSigned: false + servicePort: http + tls: true + +initContainers: | + - name: keycloak-theme-provider + image: docker.io/juselius/oceanbox-theme:1.2 + imagePullPolicy: Always + command: + - sh + args: + - -c + - | + echo "Copying theme..." + cp -R /theme/* /keycloak/themes/oceanbox + volumeMounts: + - name: theme + mountPath: /keycloak/themes/oceanbox + +extraDeploy: + - apiVersion: postgresql.cnpg.io/v1 + kind: Cluster + metadata: + name: prod-keycloak + namespace: keycloak + spec: + instances: 2 + imageName: ghcr.io/cloudnative-pg/postgresql:17.2-27-bookworm + storage: + resizeInUseVolumes: true + size: 10Gi + backup: + retentionPolicy: 60d + target: prefer-standby + diff --git a/values/keycloak/values.yaml b/values/keycloak/values.yaml index b1c60b92..0d016a86 100644 --- a/values/keycloak/values.yaml +++ b/values/keycloak/values.yaml @@ -33,9 +33,6 @@ ingress: nginx.ingress.kubernetes.io/proxy-buffer-size: 128k nginx.ingress.kubernetes.io/ssl-redirect: "true" enabled: true - extraHosts: - - name: auth.oceanbox.io - path: / hostname: auth.srv.oceanbox.io ingressClassName: nginx path: /