yesod-mirror/k8s/configs/environments/authentication/main.jsonnet

local kube = import "k8s/configs/base.libsonnet";

local keycloak = import "k8s/configs/templates/core/security/keycloak.libsonnet";
local nginxIngress = import "k8s/configs/templates/core/network/nginx-ingress.libsonnet";
local secrets = import "k8s/configs/environments/authentication/secrets.json";

local ingressPaths = [
  # TODO: remove
  /*
  {
    path: "/",
    pathType: "Prefix",
    backend: {
      service: {
        name: 'keycloak',
        port: { number: 80},
      },
    },
  },
  */
  {
    path: "/realms/kube",
    pathType: "Prefix",
    backend: {
      service: {
        name: 'keycloak',
        port: { number: 80},
      },
    },
  },
  {
    path: "/realms/dominion",
    pathType: "Prefix",
    backend: {
      service: {
        name: 'keycloak',
        port: { number: 80 },
      },
    },
  },
  {
    path: "/realms/docker-registry",
    pathType: "Prefix",
    backend: {
      service: {
        name: 'keycloak',
        port: { number: 80 },
      },
    },
  },
  {
    path: "/resources",
    pathType: "Prefix",
    backend: {
      service: {
        name: 'keycloak',
        port: { number: 80 },
      },
    },
  },
];

local namespace = "authentication";
local ctx = kube.NewContext(kube.helm);
{
    namespace: {
        apiVersion: "v1",
        kind: "Namespace",
        metadata: {
            name: namespace,
        },
    },
    apps: {
        // TODO: Migrate postgres
        keycloak: keycloak.App(keycloak.Params {
            namespace: namespace,
            context: ctx,
            name: "keycloak",
            filePath: std.thisFile,
            postgresDbService: "keycloak-pg",
            postgresDbNamespace: namespace,
            postgresDbName: "keycloak-db",
            postgresDbUser: "keycloak-user",
            adminPassword: secrets.keycloak_admin_password,
            authPassword: secrets.keycloak_auth_password,
            dbPassword: secrets.keycloak_db_password,
        }),
        keycloakIngress: kube.Ingress(namespace, "keycloak") {
          metadata+: {
            annotations+: {
              "cert-manager.io/cluster-issuer": "letsencrypt-production",
            },
          },
          spec+: {
            ingressClassName: "nginx",
            tls: [
              {
                hosts: [
                  "auth.cheapassbox.com",
                  "authentication.cheapassbox.com",
                  "auth.csbx.dev",
                ],
                secretName: "keycloak-cert",
              },
            ],
            rules: [
              {
                host: 'auth.cheapassbox.com',
                http: {
                  // Specially disallow external connections to the `master` realm via ingress to protect security.
                  paths: ingressPaths,
                },
              },
              {
                host: 'authentication.cheapassbox.com',
                http: {
                  // Specially disallow external connections to the `master` realm via ingress to protect security.
                  paths: ingressPaths,
                },
              },
              {
                host: 'auth.csbx.dev',
                http: {
                  paths: ingressPaths,
                },
              }
            ],
          },
        },

    },
    volumes: {
        "keycloak-postgresql": kube.RecoverableSimplePvc(namespace, "data-keycloak-postgresql-0", "nfs-client", "8Gi", {
            volumeName: "pvc-12905c59-07d9-4daf-b2c4-a59f1360ec50",
            nfsPath: "/volume3/fs/authentication-data-keycloak-postgresql-0-pvc-12905c59-07d9-4daf-b2c4-a59f1360ec50",
            nfsServer: "apollo1.dominion.lan",
        }),
        keycloak: kube.RecoverableSimplePvc(namespace, "keycloak-postgresql-data", "nfs-client", "24Gi", {
            volumeName: "pvc-d984f2be-b437-11e9-bad8-b8aeed7dc356",
            nfsPath: "/volume3/fs/authentication-keycloak-postgresql-data-pvc-d984f2be-b437-11e9-bad8-b8aeed7dc356",
            nfsServer: "apollo1.dominion.lan",
        }),
    },
    secrets: {},
}