summaryrefslogtreecommitdiff
path: root/roles/apps/keycloak
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2020-11-26 20:10:56 +0100
committerChristian Pointner <equinox@spreadspace.org>2020-11-26 20:10:56 +0100
commitd4058a775c42277a6e9bc3d58d9a8bbfccc99bea (patch)
tree3742953f01ccef9d8d771f52c3bcb7741985c5bc /roles/apps/keycloak
parentsk-cloudio: update jitsi meet to stable-5142 (diff)
add role for app keycloak
Diffstat (limited to 'roles/apps/keycloak')
-rw-r--r--roles/apps/keycloak/defaults/main.yml30
-rw-r--r--roles/apps/keycloak/tasks/main.yml105
-rw-r--r--roles/apps/keycloak/templates/pod-spec-with-mariadb.yml.j259
3 files changed, 194 insertions, 0 deletions
diff --git a/roles/apps/keycloak/defaults/main.yml b/roles/apps/keycloak/defaults/main.yml
new file mode 100644
index 00000000..24326601
--- /dev/null
+++ b/roles/apps/keycloak/defaults/main.yml
@@ -0,0 +1,30 @@
+---
+keycloak_app_uid: "920"
+keycloak_app_gid: "920"
+
+keycloak_db_uid: "921"
+keycloak_db_gid: "921"
+
+# keycloak_base_path: /srv/keycloak
+
+# keycloak_zfs:
+# pool: storage
+# name: keycloak
+# properties:
+# compression: lz4
+
+# keycloak_instances:
+# example:
+# new: yes
+# version: 11.0.3
+# port: 8500
+# hostname: id.example.com
+# admin:
+# username: admin
+# password: "{{ vault_keycloak_admin_passwords['example'] }}"
+# zfs_properties:
+# quota: 1G
+# database:
+# type: mariadb
+# version: 10.5.8
+# password: "{{ vault_keycloak_database_passwords['example'] }}"
diff --git a/roles/apps/keycloak/tasks/main.yml b/roles/apps/keycloak/tasks/main.yml
new file mode 100644
index 00000000..917aa68e
--- /dev/null
+++ b/roles/apps/keycloak/tasks/main.yml
@@ -0,0 +1,105 @@
+---
+- name: create zfs datasets
+ when: keycloak_zfs is defined
+ block:
+ - name: create zfs base dataset
+ zfs:
+ name: "{{ keycloak_zfs.pool }}/{{ keycloak_zfs.name }}"
+ state: present
+ extra_zfs_properties: "{{ keycloak_zfs.properties | default(omit) }}"
+
+ - name: create zfs volumes for instances
+ loop: "{{ keycloak_instances | dict2items }}"
+ loop_control:
+ label: "{{ item.key }} ({{ (item.value.zfs_properties | default({})).items() | map('join', '=') | join(', ') }})"
+ zfs:
+ name: "{{ keycloak_zfs.pool }}/{{ keycloak_zfs.name }}/{{ item.key }}"
+ state: present
+ extra_zfs_properties: "{{ item.value.zfs_properties | default(omit) }}"
+
+ - name: configure keycloak base bath
+ set_fact:
+ keycloak_base_path: "{{ zfs_pools[keycloak_zfs.pool].mountpoint }}/{{ keycloak_zfs.name }}"
+
+
+- name: create instance subdirectories
+ when: keycloak_zfs is not defined
+ loop: "{{ keycloak_instances | list }}"
+ file:
+ path: "{{ keycloak_base_path }}/{{ item }}"
+ state: directory
+
+
+
+- name: add group for keycloak app
+ group:
+ name: kc-app
+ gid: "{{ keycloak_app_gid }}"
+
+- name: add user for keycloak app
+ user:
+ name: kc-app
+ uid: "{{ keycloak_app_uid }}"
+ group: kc-app
+ password: "!"
+
+- name: create keycloak app subdirectory
+ loop: "{{ keycloak_instances | list }}"
+ file:
+ path: "{{ keycloak_base_path }}/{{ item }}/keycloak"
+ owner: "{{ keycloak_app_uid }}"
+ group: "{{ keycloak_app_gid }}"
+ state: directory
+
+
+- name: add group for keycloak db
+ group:
+ name: kc-db
+ gid: "{{ keycloak_db_gid }}"
+
+- name: add user for keycloak db
+ user:
+ name: kc-db
+ uid: "{{ keycloak_db_uid }}"
+ group: kc-db
+ password: "!"
+
+- name: create keycloak database subdirectory
+ loop: "{{ keycloak_instances | dict2items}}"
+ loop_control:
+ label: "{{ item.key }} ({{ item.value.database.type }})"
+ file:
+ path: "{{ keycloak_base_path }}/{{ item.key }}/{{ item.value.database.type }}"
+ owner: "{{ keycloak_db_uid }}"
+ group: "{{ keycloak_db_gid }}"
+ state: directory
+
+
+- name: install pod manifest
+ loop: "{{ keycloak_instances | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ vars:
+ kubernetes_standalone_pod:
+ name: "keycloak-{{ item.key }}"
+ spec: "{{ lookup('template', 'pod-spec-with-{{ item.value.database.type }}.yml.j2') }}"
+ mode: "0600"
+ include_role:
+ name: kubernetes/standalone/pod
+
+
+- name: configure nginx vhost
+ loop: "{{ keycloak_instances | dict2items }}"
+ loop_control:
+ label: "{{ item.key }}"
+ vars:
+ nginx_vhost:
+ name: "keycloak-{{ item.key }}"
+ template: generic-proxy-no-buffering-with-acme
+ acme: true
+ hostnames:
+ - "{{ item.value.hostname }}"
+ client_max_body_size: "0"
+ proxy_pass: "http://127.0.0.1:{{ item.value.port }}/auth/"
+ include_role:
+ name: nginx/vhost
diff --git a/roles/apps/keycloak/templates/pod-spec-with-mariadb.yml.j2 b/roles/apps/keycloak/templates/pod-spec-with-mariadb.yml.j2
new file mode 100644
index 00000000..dd63d3a0
--- /dev/null
+++ b/roles/apps/keycloak/templates/pod-spec-with-mariadb.yml.j2
@@ -0,0 +1,59 @@
+securityContext:
+ allowPrivilegeEscalation: false
+containers:
+- name: keycloak
+ image: "quay.io/keycloak/keycloak:{{ item.value.version }}"
+ # securityContext:
+ # runAsUser: {{ keycloak_app_uid }}
+ # runAsGroup: {{ keycloak_app_gid }}
+ resources:
+ limits:
+ memory: "1Gi"
+ env:
+ - name: DB_VENDOR
+ value: mariadb
+ - name: DB_ADDR
+ value: 127.0.0.1
+ - name: DB_DATABASE
+ value: keycloak
+ - name: DB_USER
+ value: keycloak
+ - name: DB_PASSWORD
+ value: "{{ item.value.database.password }}"
+ - name: KEYCLOAK_USER
+ value: "{{ item.value.admin.username }}"
+ - name: KEYCLOAK_PASSWORD
+ value: "{{ item.value.admin.password }}"
+ - name: KEYCLOAK_FRONTEND_URL
+ value: "https://{{ item.value.hostname }}"
+ ports:
+ - containerPort: 8080
+ hostPort: {{ item.value.port }}
+ hostIP: 127.0.0.1
+- name: database
+ image: "mariadb:{{ item.value.database.version }}"
+ securityContext:
+ runAsUser: {{ keycloak_db_uid }}
+ runAsGroup: {{ keycloak_db_gid }}
+ resources:
+ limits:
+ memory: "512Mi"
+{% if 'new' in item.value and item.value.new %}
+ env:
+ - name: MYSQL_RANDOM_ROOT_PASSWORD
+ value: "true"
+ - name: MYSQL_DATABASE
+ value: keycloak
+ - name: MYSQL_USER
+ value: keycloak
+ - name: MYSQL_PASSWORD
+ value: "{{ item.value.database.password }}"
+{% endif %}
+ volumeMounts:
+ - name: database
+ mountPath: /var/lib/mysql
+volumes:
+- name: database
+ hostPath:
+ path: "{{ keycloak_base_path }}/{{ item.key }}/{{ item.value.database.type }}"
+ type: Directory