From d4058a775c42277a6e9bc3d58d9a8bbfccc99bea Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 26 Nov 2020 20:10:56 +0100 Subject: add role for app keycloak --- roles/apps/keycloak/defaults/main.yml | 30 ++++++ roles/apps/keycloak/tasks/main.yml | 105 +++++++++++++++++++++ .../templates/pod-spec-with-mariadb.yml.j2 | 59 ++++++++++++ 3 files changed, 194 insertions(+) create mode 100644 roles/apps/keycloak/defaults/main.yml create mode 100644 roles/apps/keycloak/tasks/main.yml create mode 100644 roles/apps/keycloak/templates/pod-spec-with-mariadb.yml.j2 (limited to 'roles/apps/keycloak') diff --git a/roles/apps/keycloak/defaults/main.yml b/roles/apps/keycloak/defaults/main.yml new file mode 100644 index 00000000..24326601 --- /dev/null +++ b/roles/apps/keycloak/defaults/main.yml @@ -0,0 +1,30 @@ +--- +keycloak_app_uid: "920" +keycloak_app_gid: "920" + +keycloak_db_uid: "921" +keycloak_db_gid: "921" + +# keycloak_base_path: /srv/keycloak + +# keycloak_zfs: +# pool: storage +# name: keycloak +# properties: +# compression: lz4 + +# keycloak_instances: +# example: +# new: yes +# version: 11.0.3 +# port: 8500 +# hostname: id.example.com +# admin: +# username: admin +# password: "{{ vault_keycloak_admin_passwords['example'] }}" +# zfs_properties: +# quota: 1G +# database: +# type: mariadb +# version: 10.5.8 +# password: "{{ vault_keycloak_database_passwords['example'] }}" diff --git a/roles/apps/keycloak/tasks/main.yml b/roles/apps/keycloak/tasks/main.yml new file mode 100644 index 00000000..917aa68e --- /dev/null +++ b/roles/apps/keycloak/tasks/main.yml @@ -0,0 +1,105 @@ +--- +- name: create zfs datasets + when: keycloak_zfs is defined + block: + - name: create zfs base dataset + zfs: + name: "{{ keycloak_zfs.pool }}/{{ keycloak_zfs.name }}" + state: present + extra_zfs_properties: "{{ keycloak_zfs.properties | default(omit) }}" + + - name: create zfs volumes for instances + loop: "{{ keycloak_instances | dict2items }}" + loop_control: + label: "{{ item.key }} ({{ (item.value.zfs_properties | default({})).items() | map('join', '=') | join(', ') }})" + zfs: + name: "{{ keycloak_zfs.pool }}/{{ keycloak_zfs.name }}/{{ item.key }}" + state: present + extra_zfs_properties: "{{ item.value.zfs_properties | default(omit) }}" + + - name: configure keycloak base bath + set_fact: + keycloak_base_path: "{{ zfs_pools[keycloak_zfs.pool].mountpoint }}/{{ keycloak_zfs.name }}" + + +- name: create instance subdirectories + when: keycloak_zfs is not defined + loop: "{{ keycloak_instances | list }}" + file: + path: "{{ keycloak_base_path }}/{{ item }}" + state: directory + + + +- name: add group for keycloak app + group: + name: kc-app + gid: "{{ keycloak_app_gid }}" + +- name: add user for keycloak app + user: + name: kc-app + uid: "{{ keycloak_app_uid }}" + group: kc-app + password: "!" + +- name: create keycloak app subdirectory + loop: "{{ keycloak_instances | list }}" + file: + path: "{{ keycloak_base_path }}/{{ item }}/keycloak" + owner: "{{ keycloak_app_uid }}" + group: "{{ keycloak_app_gid }}" + state: directory + + +- name: add group for keycloak db + group: + name: kc-db + gid: "{{ keycloak_db_gid }}" + +- name: add user for keycloak db + user: + name: kc-db + uid: "{{ keycloak_db_uid }}" + group: kc-db + password: "!" + +- name: create keycloak database subdirectory + loop: "{{ keycloak_instances | dict2items}}" + loop_control: + label: "{{ item.key }} ({{ item.value.database.type }})" + file: + path: "{{ keycloak_base_path }}/{{ item.key }}/{{ item.value.database.type }}" + owner: "{{ keycloak_db_uid }}" + group: "{{ keycloak_db_gid }}" + state: directory + + +- name: install pod manifest + loop: "{{ keycloak_instances | dict2items }}" + loop_control: + label: "{{ item.key }}" + vars: + kubernetes_standalone_pod: + name: "keycloak-{{ item.key }}" + spec: "{{ lookup('template', 'pod-spec-with-{{ item.value.database.type }}.yml.j2') }}" + mode: "0600" + include_role: + name: kubernetes/standalone/pod + + +- name: configure nginx vhost + loop: "{{ keycloak_instances | dict2items }}" + loop_control: + label: "{{ item.key }}" + vars: + nginx_vhost: + name: "keycloak-{{ item.key }}" + template: generic-proxy-no-buffering-with-acme + acme: true + hostnames: + - "{{ item.value.hostname }}" + client_max_body_size: "0" + proxy_pass: "http://127.0.0.1:{{ item.value.port }}/auth/" + include_role: + name: nginx/vhost diff --git a/roles/apps/keycloak/templates/pod-spec-with-mariadb.yml.j2 b/roles/apps/keycloak/templates/pod-spec-with-mariadb.yml.j2 new file mode 100644 index 00000000..dd63d3a0 --- /dev/null +++ b/roles/apps/keycloak/templates/pod-spec-with-mariadb.yml.j2 @@ -0,0 +1,59 @@ +securityContext: + allowPrivilegeEscalation: false +containers: +- name: keycloak + image: "quay.io/keycloak/keycloak:{{ item.value.version }}" + # securityContext: + # runAsUser: {{ keycloak_app_uid }} + # runAsGroup: {{ keycloak_app_gid }} + resources: + limits: + memory: "1Gi" + env: + - name: DB_VENDOR + value: mariadb + - name: DB_ADDR + value: 127.0.0.1 + - name: DB_DATABASE + value: keycloak + - name: DB_USER + value: keycloak + - name: DB_PASSWORD + value: "{{ item.value.database.password }}" + - name: KEYCLOAK_USER + value: "{{ item.value.admin.username }}" + - name: KEYCLOAK_PASSWORD + value: "{{ item.value.admin.password }}" + - name: KEYCLOAK_FRONTEND_URL + value: "https://{{ item.value.hostname }}" + ports: + - containerPort: 8080 + hostPort: {{ item.value.port }} + hostIP: 127.0.0.1 +- name: database + image: "mariadb:{{ item.value.database.version }}" + securityContext: + runAsUser: {{ keycloak_db_uid }} + runAsGroup: {{ keycloak_db_gid }} + resources: + limits: + memory: "512Mi" +{% if 'new' in item.value and item.value.new %} + env: + - name: MYSQL_RANDOM_ROOT_PASSWORD + value: "true" + - name: MYSQL_DATABASE + value: keycloak + - name: MYSQL_USER + value: keycloak + - name: MYSQL_PASSWORD + value: "{{ item.value.database.password }}" +{% endif %} + volumeMounts: + - name: database + mountPath: /var/lib/mysql +volumes: +- name: database + hostPath: + path: "{{ keycloak_base_path }}/{{ item.key }}/{{ item.value.database.type }}" + type: Directory -- cgit v1.2.3