chore(keyclok): switch to using a secret for admin credentials, try to use Postgres instead of SQLite

2024-03-28 12:17:20 -05:00 · 2024-03-28 12:17:20 -05:00 · e045928fc9
commit e045928fc9
parent dbc1b6b4b9
2 changed files with 98 additions and 3 deletions
--- a/apps/keycloak/base/keycloak.yaml
+++ b/apps/keycloak/base/keycloak.yaml
@ -1,4 +1,14 @@
 apiVersion: v1
+data:
+  password: YkJiNXU3NXRaYUR0ZHVudw==
+  username: YWRtaW4=
+kind: Secret
+metadata:
+  name: keycloak-admin
+type: kubernetes.io/basic-auth
+
+---
+apiVersion: v1
 kind: Service
 metadata:
  name: keycloak
@ -12,6 +22,7 @@ spec:
  selector:
    app: keycloak
  type: LoadBalancer
+
 ---
 apiVersion: apps/v1
 kind: Deployment
@ -35,11 +46,47 @@ spec:
          args: ["start-dev"]
          env:
            - name: KEYCLOAK_ADMIN
-              value: "admin"
+              valueFrom:
+                secretKeyRef:
+                  key: username
+                  name: keycloak-admin
            - name: KEYCLOAK_ADMIN_PASSWORD
-              value: "bBb5u75tZaDtdunw"
+              valueFrom:
+                secretKeyRef:
+                  key: password
+                  name: keycloak-admin
            - name: KC_PROXY
              value: "edge"
+            - name: KC_HEALTH_ENABLED
+              value: "true"
+            - name: KC_METRICS_ENABLED
+              value: "true"
+            - name: KC_HOSTNAME_STRICT_HTTPS
+              value: "true"
+            - name: KC_LOG_LEVEL
+              value: INFO
+            - name: KC_DB
+              value: postgres
+            - name: POSTGRES_DB
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-app
+                  key: username
+            - name: KC_DB_URL
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-app
+                  key: jdbc-uri
+            - name: KC_DB_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-app
+                  key: username
+            - name: KC_DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-app
+                  key: password
          ports:
            - name: http
              containerPort: 8080
--- a/apps/keycloak/base/pg.yaml
+++ b/apps/keycloak/base/pg.yaml
@ -1,9 +1,57 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: backup-creds
+data:
+  ACCESS_KEY_ID: a2V5X2lk
+  ACCESS_SECRET_KEY: c2VjcmV0X2tleQ==
+
+---
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
-  name: keycloak
+  name: keycloak-pg-cluster
 spec:
  instances: 1

  storage:
    size: 1Gi
+
+  bootstrap:
+    initdb:
+      database: keycloak
+
+  # enableSuperuserAccess: true
+
+  # backup:
+  #   barmanObjectStore:
+  #     destinationPath: s3://cluster-example-full-backup/
+  #     endpointURL: http://custom-endpoint:1234
+  #     s3Credentials:
+  #       accessKeyId:
+  #         name: backup-creds
+  #         key: ACCESS_KEY_ID
+  #       secretAccessKey:
+  #         name: backup-creds
+  #         key: ACCESS_SECRET_KEY
+  #     wal:
+  #       compression: gzip
+  #       encryption: AES256
+  #     data:
+  #       compression: gzip
+  #       encryption: AES256
+  #       immediateCheckpoint: false
+  #       jobs: 2
+  #   retentionPolicy: "30d"
+
+  # resources:
+  #   requests:
+  #     memory: "512Mi"
+  #     cpu: "1"
+  #   limits:
+  #     memory: "1Gi"
+  #     cpu: "2"
+
+  # affinity:
+  #   enablePodAntiAffinity: true
+  #   topologyKey: failure-domain.beta.kubernetes.io/zone