add role for app keycloak

3 files changed, 194 insertions, 0 deletions

diff --git a/roles/apps/keycloak/defaults/main.yml b/roles/apps/keycloak/defaults/main.yml
new file mode 100644
index 00000000..24326601
--- /dev/null
+++ b/roles/apps/keycloak/defaults/main.yml
@@ -0,0 +1,30 @@
+---
+keycloak_app_uid: "920"
+keycloak_app_gid: "920"
+
+keycloak_db_uid: "921"
+keycloak_db_gid: "921"
+
+# keycloak_base_path: /srv/keycloak
+
+# keycloak_zfs:
+#   pool: storage
+#   name: keycloak
+#   properties:
+#     compression: lz4
+
+# keycloak_instances:
+#   example:
+#     new: yes
+#     version: 11.0.3
+#     port: 8500
+#     hostname: id.example.com
+#     admin:
+#       username: admin
+#       password: "{{ vault_keycloak_admin_passwords['example'] }}"
+#     zfs_properties:
+#       quota: 1G
+#     database:
+#       type: mariadb
+#       version: 10.5.8
+#       password: "{{ vault_keycloak_database_passwords['example'] }}"
diff --git a/roles/apps/keycloak/tasks/main.yml b/roles/apps/keycloak/tasks/main.yml
new file mode 100644
index 00000000..917aa68e
--- /dev/null
+++ b/roles/apps/keycloak/tasks/main.yml
@@ -0,0 +1,105 @@
+---
+- name: create zfs datasets
+  when: keycloak_zfs is defined
+  block:
+  - name: create zfs base dataset
+    zfs:
+      name: "{{ keycloak_zfs.pool }}/{{ keycloak_zfs.name }}"
+      state: present
+      extra_zfs_properties: "{{ keycloak_zfs.properties | default(omit) }}"
+
+  - name: create zfs volumes for instances
+    loop: "{{ keycloak_instances | dict2items }}"
+    loop_control:
+      label: "{{ item.key }} ({{ (item.value.zfs_properties | default({})).items() | map('join', '=') | join(', ') }})"
+    zfs:
+      name: "{{ keycloak_zfs.pool }}/{{ keycloak_zfs.name }}/{{ item.key }}"
+      state: present
+      extra_zfs_properties: "{{ item.value.zfs_properties | default(omit) }}"
+
+  - name: configure keycloak base bath
+    set_fact:
+      keycloak_base_path: "{{ zfs_pools[keycloak_zfs.pool].mountpoint }}/{{ keycloak_zfs.name }}"
+
+
+- name: create instance subdirectories
+  when: keycloak_zfs is not defined
+  loop: "{{ keycloak_instances | list }}"
+  file:
+    path: "{{ keycloak_base_path }}/{{ item }}"
+    state: directory
+
+
+
+- name: add group for keycloak app
+  group:
+    name: kc-app
+    gid: "{{ keycloak_app_gid }}"
+
+- name: add user for keycloak app
+  user:
+    name: kc-app
+    uid: "{{ keycloak_app_uid }}"
+    group: kc-app
+    password: "!"
+
+- name: create keycloak app subdirectory
+  loop: "{{ keycloak_instances | list }}"
+  file:
+    path: "{{ keycloak_base_path }}/{{ item }}/keycloak"
+    owner: "{{ keycloak_app_uid }}"
+    group: "{{ keycloak_app_gid }}"
+    state: directory
+
+
+- name: add group for keycloak db
+  group:
+    name: kc-db
+    gid: "{{ keycloak_db_gid }}"
+
+- name: add user for keycloak db
+  user:
+    name: kc-db
+    uid: "{{ keycloak_db_uid }}"
+    group: kc-db
+    password: "!"
+
+- name: create keycloak database subdirectory
+  loop: "{{ keycloak_instances | dict2items}}"
+  loop_control:
+    label: "{{ item.key }} ({{ item.value.database.type }})"
+  file:
+    path: "{{ keycloak_base_path }}/{{ item.key }}/{{ item.value.database.type }}"
+    owner: "{{ keycloak_db_uid }}"
+    group: "{{ keycloak_db_gid }}"
+    state: directory
+
+
+- name: install pod manifest
+  loop: "{{ keycloak_instances | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  vars:
+    kubernetes_standalone_pod:
+      name: "keycloak-{{ item.key }}"
+      spec: "{{ lookup('template', 'pod-spec-with-{{ item.value.database.type }}.yml.j2') }}"
+      mode: "0600"
+  include_role:
+    name: kubernetes/standalone/pod
+
+
+- name: configure nginx vhost
+  loop: "{{ keycloak_instances | dict2items }}"
+  loop_control:
+    label: "{{ item.key }}"
+  vars:
+    nginx_vhost:
+      name: "keycloak-{{ item.key }}"
+      template: generic-proxy-no-buffering-with-acme
+      acme: true
+      hostnames:
+      - "{{ item.value.hostname }}"
+      client_max_body_size: "0"
+      proxy_pass: "http://127.0.0.1:{{ item.value.port }}/auth/"
+  include_role:
+    name: nginx/vhost
diff --git a/roles/apps/keycloak/templates/pod-spec-with-mariadb.yml.j2 b/roles/apps/keycloak/templates/pod-spec-with-mariadb.yml.j2
new file mode 100644
index 00000000..dd63d3a0
--- /dev/null
+++ b/roles/apps/keycloak/templates/pod-spec-with-mariadb.yml.j2
@@ -0,0 +1,59 @@
+securityContext:
+  allowPrivilegeEscalation: false
+containers:
+- name: keycloak
+  image: "quay.io/keycloak/keycloak:{{ item.value.version }}"
+  # securityContext:
+  #   runAsUser: {{ keycloak_app_uid }}
+  #   runAsGroup: {{ keycloak_app_gid }}
+  resources:
+    limits:
+      memory: "1Gi"
+  env:
+  - name: DB_VENDOR
+    value: mariadb
+  - name: DB_ADDR
+    value: 127.0.0.1
+  - name: DB_DATABASE
+    value: keycloak
+  - name: DB_USER
+    value: keycloak
+  - name: DB_PASSWORD
+    value: "{{ item.value.database.password }}"
+  - name: KEYCLOAK_USER
+    value: "{{ item.value.admin.username }}"
+  - name: KEYCLOAK_PASSWORD
+    value: "{{ item.value.admin.password }}"
+  - name: KEYCLOAK_FRONTEND_URL
+    value: "https://{{ item.value.hostname }}"
+  ports:
+  - containerPort: 8080
+    hostPort: {{ item.value.port }}
+    hostIP: 127.0.0.1
+- name: database
+  image: "mariadb:{{ item.value.database.version }}"
+  securityContext:
+    runAsUser: {{ keycloak_db_uid }}
+    runAsGroup: {{ keycloak_db_gid }}
+  resources:
+    limits:
+      memory: "512Mi"
+{% if 'new' in item.value and item.value.new %}
+  env:
+  - name: MYSQL_RANDOM_ROOT_PASSWORD
+    value: "true"
+  - name: MYSQL_DATABASE
+    value: keycloak
+  - name: MYSQL_USER
+    value: keycloak
+  - name: MYSQL_PASSWORD
+    value: "{{ item.value.database.password }}"
+{% endif %}
+  volumeMounts:
+  - name: database
+    mountPath: /var/lib/mysql
+volumes:
+- name: database
+  hostPath:
+    path: "{{ keycloak_base_path }}/{{ item.key }}/{{ item.value.database.type }}"
+    type: Directory