yesod-mirror/k8s/configs/environments/authentication/main.jsonnet

local kube = import "k8s/configs/base.libsonnet";

local keycloak = import "k8s/configs/templates/core/security/keycloak.libsonnet";
local nginxIngress = import "k8s/configs/templates/core/network/nginx-ingress.libsonnet";
local secrets = import "k8s/configs/environments/authentication/secrets.json";

local ingressPaths = [
  # TODO: remove
  /*
  {
    path: "/",
    pathType: "Prefix",
    backend: {
      service: {
        name: 'keycloak',
        port: { number: 80},
      },
    },
  },
  */
  {
    path: "/realms/kube",
    pathType: "Prefix",
    backend: {
      service: {
        name: 'keycloak',
        port: { number: 80},
      },
    },
  },
  {
    path: "/realms/dominion",
    pathType: "Prefix",
    backend: {
      service: {
        name: 'keycloak',
        port: { number: 80 },
      },
    },
  },
  {
    path: "/realms/docker-registry",
    pathType: "Prefix",
    backend: {
      service: {
        name: 'keycloak',
        port: { number: 80 },
      },
    },
  },
  {
    path: "/resources",
    pathType: "Prefix",
    backend: {
      service: {
        name: 'keycloak',
        port: { number: 80 },
      },
    },
  },
];

local namespace = "authentication";
local ctx = kube.NewContext(kube.helm);
{
    namespace: {
        apiVersion: "v1",
        kind: "Namespace",
        metadata: {
            name: namespace,
        },
    },
    apps: {
        // TODO: Migrate postgres
        keycloak: keycloak.App(keycloak.Params {
            namespace: namespace,
            context: ctx,
            name: "keycloak",
            filePath: std.thisFile,
            postgresDbService: "keycloak-pg",
            postgresDbNamespace: namespace,
            postgresDbName: "keycloak-db",
            postgresDbUser: "keycloak-user",
            adminPassword: secrets.keycloak_admin_password,
            authPassword: secrets.keycloak_auth_password,
            dbPassword: secrets.keycloak_db_password,
        }),
        keycloakIngress: kube.Ingress(namespace, "keycloak") {
          metadata+: {
            annotations+: {
              "cert-manager.io/cluster-issuer": "letsencrypt-production",
            },
          },
          spec+: {
            ingressClassName: "nginx",
            tls: [
              {
                hosts: [
                  "auth.cheapassbox.com",
                  "authentication.cheapassbox.com",
                  "auth.csbx.dev",
                ],
                secretName: "keycloak-cert",
              },
            ],
            rules: [
              {
                host: 'auth.cheapassbox.com',
                http: {
                  // Specially disallow external connections to the `master` realm via ingress to protect security.
                  paths: ingressPaths,
                },
              },
              {
                host: 'authentication.cheapassbox.com',
                http: {
                  // Specially disallow external connections to the `master` realm via ingress to protect security.
                  paths: ingressPaths,
                },
              },
              {
                host: 'auth.csbx.dev',
                http: {
                  paths: ingressPaths,
                },
              }
            ],
          },
        },

    },
    volumes: {
        "keycloak-postgresql": kube.RecoverableSimplePvc(namespace, "data-keycloak-postgresql-0", "nfs-client", "8Gi", {
            volumeName: "pvc-12905c59-07d9-4daf-b2c4-a59f1360ec50",
            nfsPath: "/volume3/fs/authentication-data-keycloak-postgresql-0-pvc-12905c59-07d9-4daf-b2c4-a59f1360ec50",
            nfsServer: "apollo1.dominion.lan",
        }),
        keycloak: kube.RecoverableSimplePvc(namespace, "keycloak-postgresql-data", "nfs-client", "24Gi", {
            volumeName: "pvc-d984f2be-b437-11e9-bad8-b8aeed7dc356",
            nfsPath: "/volume3/fs/authentication-keycloak-postgresql-data-pvc-d984f2be-b437-11e9-bad8-b8aeed7dc356",
            nfsServer: "apollo1.dominion.lan",
        }),
    },
    secrets: {},
}
Project import generated by Copybara. GitOrigin-RevId: 6370f6ea785709295b6abcf9c60717cacf3ac432 2026-01-20 13:24:59 -08:00			`local kube = import "k8s/configs/base.libsonnet";`

			`local keycloak = import "k8s/configs/templates/core/security/keycloak.libsonnet";`
			`local nginxIngress = import "k8s/configs/templates/core/network/nginx-ingress.libsonnet";`
			`local secrets = import "k8s/configs/environments/authentication/secrets.json";`

			`local ingressPaths = [`
			`# TODO: remove`
			`/*`
			`{`
			`path: "/",`
			`pathType: "Prefix",`
			`backend: {`
			`service: {`
			`name: 'keycloak',`
			`port: { number: 80},`
			`},`
			`},`
			`},`
			`*/`
			`{`
			`path: "/realms/kube",`
			`pathType: "Prefix",`
			`backend: {`
			`service: {`
			`name: 'keycloak',`
			`port: { number: 80},`
			`},`
			`},`
			`},`
			`{`
			`path: "/realms/dominion",`
			`pathType: "Prefix",`
			`backend: {`
			`service: {`
			`name: 'keycloak',`
			`port: { number: 80 },`
			`},`
			`},`
			`},`
			`{`
			`path: "/realms/docker-registry",`
			`pathType: "Prefix",`
			`backend: {`
			`service: {`
			`name: 'keycloak',`
			`port: { number: 80 },`
			`},`
			`},`
			`},`
			`{`
			`path: "/resources",`
			`pathType: "Prefix",`
			`backend: {`
			`service: {`
			`name: 'keycloak',`
			`port: { number: 80 },`
			`},`
			`},`
			`},`
			`];`

			`local namespace = "authentication";`
			`local ctx = kube.NewContext(kube.helm);`
			`{`
			`namespace: {`
			`apiVersion: "v1",`
			`kind: "Namespace",`
			`metadata: {`
			`name: namespace,`
			`},`
			`},`
			`apps: {`
			`// TODO: Migrate postgres`
			`keycloak: keycloak.App(keycloak.Params {`
			`namespace: namespace,`
			`context: ctx,`
			`name: "keycloak",`
			`filePath: std.thisFile,`
			`postgresDbService: "keycloak-pg",`
			`postgresDbNamespace: namespace,`
			`postgresDbName: "keycloak-db",`
			`postgresDbUser: "keycloak-user",`
			`adminPassword: secrets.keycloak_admin_password,`
			`authPassword: secrets.keycloak_auth_password,`
			`dbPassword: secrets.keycloak_db_password,`
			`}),`
			`keycloakIngress: kube.Ingress(namespace, "keycloak") {`
			`metadata+: {`
			`annotations+: {`
			`"cert-manager.io/cluster-issuer": "letsencrypt-production",`
			`},`
			`},`
			`spec+: {`
			`ingressClassName: "nginx",`
			`tls: [`
			`{`
			`hosts: [`
			`"auth.cheapassbox.com",`
			`"authentication.cheapassbox.com",`
			`"auth.csbx.dev",`
			`],`
			`secretName: "keycloak-cert",`
			`},`
			`],`
			`rules: [`
			`{`
			`host: 'auth.cheapassbox.com',`
			`http: {`
			// Specially disallow external connections to the `master` realm via ingress to protect security.
			`paths: ingressPaths,`
			`},`
			`},`
			`{`
			`host: 'authentication.cheapassbox.com',`
			`http: {`
			// Specially disallow external connections to the `master` realm via ingress to protect security.
			`paths: ingressPaths,`
			`},`
			`},`
			`{`
			`host: 'auth.csbx.dev',`
			`http: {`
			`paths: ingressPaths,`
			`},`
			`}`
			`],`
			`},`
			`},`

			`},`
			`volumes: {`
			`"keycloak-postgresql": kube.RecoverableSimplePvc(namespace, "data-keycloak-postgresql-0", "nfs-client", "8Gi", {`
			`volumeName: "pvc-12905c59-07d9-4daf-b2c4-a59f1360ec50",`
			`nfsPath: "/volume3/fs/authentication-data-keycloak-postgresql-0-pvc-12905c59-07d9-4daf-b2c4-a59f1360ec50",`
			`nfsServer: "apollo1.dominion.lan",`
			`}),`
			`keycloak: kube.RecoverableSimplePvc(namespace, "keycloak-postgresql-data", "nfs-client", "24Gi", {`
			`volumeName: "pvc-d984f2be-b437-11e9-bad8-b8aeed7dc356",`
			`nfsPath: "/volume3/fs/authentication-keycloak-postgresql-data-pvc-d984f2be-b437-11e9-bad8-b8aeed7dc356",`
			`nfsServer: "apollo1.dominion.lan",`
			`}),`
			`},`
			`secrets: {},`
			`}`