From e045928fc9c731ec8c410139d75f0368f6ad1a52 Mon Sep 17 00:00:00 2001 From: David Landry Date: Thu, 28 Mar 2024 12:17:20 -0500 Subject: [PATCH] chore(keyclok): switch to using a secret for admin credentials, try to use Postgres instead of SQLite --- apps/keycloak/base/keycloak.yaml | 51 ++++++++++++++++++++++++++++++-- apps/keycloak/base/pg.yaml | 50 ++++++++++++++++++++++++++++++- 2 files changed, 98 insertions(+), 3 deletions(-) diff --git a/apps/keycloak/base/keycloak.yaml b/apps/keycloak/base/keycloak.yaml index 08cff6f..497ae8a 100644 --- a/apps/keycloak/base/keycloak.yaml +++ b/apps/keycloak/base/keycloak.yaml @@ -1,4 +1,14 @@ apiVersion: v1 +data: + password: YkJiNXU3NXRaYUR0ZHVudw== + username: YWRtaW4= +kind: Secret +metadata: + name: keycloak-admin +type: kubernetes.io/basic-auth + +--- +apiVersion: v1 kind: Service metadata: name: keycloak @@ -12,6 +22,7 @@ spec: selector: app: keycloak type: LoadBalancer + --- apiVersion: apps/v1 kind: Deployment @@ -35,11 +46,47 @@ spec: args: ["start-dev"] env: - name: KEYCLOAK_ADMIN - value: "admin" + valueFrom: + secretKeyRef: + key: username + name: keycloak-admin - name: KEYCLOAK_ADMIN_PASSWORD - value: "bBb5u75tZaDtdunw" + valueFrom: + secretKeyRef: + key: password + name: keycloak-admin - name: KC_PROXY value: "edge" + - name: KC_HEALTH_ENABLED + value: "true" + - name: KC_METRICS_ENABLED + value: "true" + - name: KC_HOSTNAME_STRICT_HTTPS + value: "true" + - name: KC_LOG_LEVEL + value: INFO + - name: KC_DB + value: postgres + - name: POSTGRES_DB + valueFrom: + secretKeyRef: + name: keycloak-app + key: username + - name: KC_DB_URL + valueFrom: + secretKeyRef: + name: keycloak-app + key: jdbc-uri + - name: KC_DB_USERNAME + valueFrom: + secretKeyRef: + name: keycloak-app + key: username + - name: KC_DB_PASSWORD + valueFrom: + secretKeyRef: + name: keycloak-app + key: password ports: - name: http containerPort: 8080 diff --git a/apps/keycloak/base/pg.yaml b/apps/keycloak/base/pg.yaml index 9c6557e..6392ede 100644 --- a/apps/keycloak/base/pg.yaml +++ b/apps/keycloak/base/pg.yaml @@ -1,9 +1,57 @@ +apiVersion: v1 +kind: Secret +metadata: + name: backup-creds +data: + ACCESS_KEY_ID: a2V5X2lk + ACCESS_SECRET_KEY: c2VjcmV0X2tleQ== + +--- apiVersion: postgresql.cnpg.io/v1 kind: Cluster metadata: - name: keycloak + name: keycloak-pg-cluster spec: instances: 1 storage: size: 1Gi + + bootstrap: + initdb: + database: keycloak + + # enableSuperuserAccess: true + + # backup: + # barmanObjectStore: + # destinationPath: s3://cluster-example-full-backup/ + # endpointURL: http://custom-endpoint:1234 + # s3Credentials: + # accessKeyId: + # name: backup-creds + # key: ACCESS_KEY_ID + # secretAccessKey: + # name: backup-creds + # key: ACCESS_SECRET_KEY + # wal: + # compression: gzip + # encryption: AES256 + # data: + # compression: gzip + # encryption: AES256 + # immediateCheckpoint: false + # jobs: 2 + # retentionPolicy: "30d" + + # resources: + # requests: + # memory: "512Mi" + # cpu: "1" + # limits: + # memory: "1Gi" + # cpu: "2" + + # affinity: + # enablePodAntiAffinity: true + # topologyKey: failure-domain.beta.kubernetes.io/zone