local kube = import "k8s/configs/base.libsonnet"; local keycloak = import "k8s/configs/templates/core/security/keycloak.libsonnet"; local nginxIngress = import "k8s/configs/templates/core/network/nginx-ingress.libsonnet"; local secrets = import "k8s/configs/environments/authentication/secrets.json"; local ingressPaths = [ # TODO: remove /* { path: "/", pathType: "Prefix", backend: { service: { name: 'keycloak', port: { number: 80}, }, }, }, */ { path: "/realms/kube", pathType: "Prefix", backend: { service: { name: 'keycloak', port: { number: 80}, }, }, }, { path: "/realms/dominion", pathType: "Prefix", backend: { service: { name: 'keycloak', port: { number: 80 }, }, }, }, { path: "/realms/docker-registry", pathType: "Prefix", backend: { service: { name: 'keycloak', port: { number: 80 }, }, }, }, { path: "/resources", pathType: "Prefix", backend: { service: { name: 'keycloak', port: { number: 80 }, }, }, }, ]; local namespace = "authentication"; local ctx = kube.NewContext(kube.helm); { namespace: { apiVersion: "v1", kind: "Namespace", metadata: { name: namespace, }, }, apps: { // TODO: Migrate postgres keycloak: keycloak.App(keycloak.Params { namespace: namespace, context: ctx, name: "keycloak", filePath: std.thisFile, postgresDbService: "keycloak-pg", postgresDbNamespace: namespace, postgresDbName: "keycloak-db", postgresDbUser: "keycloak-user", adminPassword: secrets.keycloak_admin_password, authPassword: secrets.keycloak_auth_password, dbPassword: secrets.keycloak_db_password, }), keycloakIngress: kube.Ingress(namespace, "keycloak") { metadata+: { annotations+: { "cert-manager.io/cluster-issuer": "letsencrypt-production", }, }, spec+: { ingressClassName: "nginx", tls: [ { hosts: [ "auth.cheapassbox.com", "authentication.cheapassbox.com", "auth.csbx.dev", ], secretName: "keycloak-cert", }, ], rules: [ { host: 'auth.cheapassbox.com', http: { // Specially disallow external connections to the `master` realm via ingress to protect security. paths: ingressPaths, }, }, { host: 'authentication.cheapassbox.com', http: { // Specially disallow external connections to the `master` realm via ingress to protect security. paths: ingressPaths, }, }, { host: 'auth.csbx.dev', http: { paths: ingressPaths, }, } ], }, }, }, volumes: { "keycloak-postgresql": kube.RecoverableSimplePvc(namespace, "data-keycloak-postgresql-0", "nfs-client", "8Gi", { volumeName: "pvc-12905c59-07d9-4daf-b2c4-a59f1360ec50", nfsPath: "/volume3/fs/authentication-data-keycloak-postgresql-0-pvc-12905c59-07d9-4daf-b2c4-a59f1360ec50", nfsServer: "apollo1.dominion.lan", }), keycloak: kube.RecoverableSimplePvc(namespace, "keycloak-postgresql-data", "nfs-client", "24Gi", { volumeName: "pvc-d984f2be-b437-11e9-bad8-b8aeed7dc356", nfsPath: "/volume3/fs/authentication-keycloak-postgresql-data-pvc-d984f2be-b437-11e9-bad8-b8aeed7dc356", nfsServer: "apollo1.dominion.lan", }), }, secrets: {}, }