Skip to content

Commit

Permalink
feat: add keycloak
Browse files Browse the repository at this point in the history
  • Loading branch information
@incubator4
incubator4 committed Oct 25, 2023
1 parent 898a5e9 commit d94f0ec
Show file tree
Hide file tree
Showing 5 changed files with 371 additions and 2 deletions.
40 changes: 39 additions & 1 deletion application.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ resource "argocd_application" "grafana" {
namespace = "guardian"
}
spec {
project = argocd_project.guardian.metadata.name
project = argocd_project.guardian.metadata[0].name
source {
helm {
release_name = "grafana"
Expand All @@ -23,6 +23,44 @@ resource "argocd_application" "grafana" {
ref = "values"
}

destination {
server = argocd_cluster.prod.server
namespace = "guardian"
}
}
}

resource "argocd_application" "keycloak" {
metadata {
name = "keycloak"
namespace = "guardian"
}
spec {
project = argocd_project.guardian.metadata[0].name
source {
helm {
release_name = "keycloak"
value_files = [
"$values/keycloak/prod/values.yaml"
]
}
repo_url = "https://codecentric.github.io/helm-charts"
target_revision = "18.x.x"
chart = "keycloak"
}

source {
repo_url = var.repo_url
target_revision = "HEAD"
ref = "values"
}

source {
repo_url = var.repo_url
target_revision = "HEAD"
path = "keycloak/prod"
}

destination {
server = argocd_cluster.prod.server
namespace = "guardian"
Expand Down
327 changes: 327 additions & 0 deletions argocd/prod/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,327 @@
redis:
# -- Enable redis
enabled: false
externalRedis:
host: r-7gonnosmuqli7wp7bv.redis.rds.aliyuncs.com
existingSecret: argocd-redis
controller:
replicas: 1
server:
autoscaling:
enabled: true
minReplicas: 2
repoServer:
autoscaling:
enabled: true
minReplicas: 2
rbac:
- verbs:
- get
- list
- watch
apiGroups:
- ''
resources:
- secrets
- configmaps
initContainers:
- name: download-tools
image: registry.access.redhat.com/ubi8
env:
- name: AVP_VERSION
value: 1.16.1
command: [sh, -c]
args:
- >-
curl -L https://github.com/argoproj-labs/argocd-vault-plugin/releases/download/v$(AVP_VERSION)/argocd-vault-plugin_$(AVP_VERSION)_linux_amd64 -o argocd-vault-plugin &&
chmod +x argocd-vault-plugin &&
mv argocd-vault-plugin /custom-tools/
volumeMounts:
- mountPath: /custom-tools
name: custom-tools

extraContainers:
# argocd-vault-plugin with plain YAML
- name: avp
command: [/var/run/argocd/argocd-cmp-server]
image: quay.io/argoproj/argocd:v2.8.4
env:
- name: AVP_SECRET
value: guardian:avp-prod
securityContext:
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: tmp

# Register plugins into sidecar
- mountPath: /home/argocd/cmp-server/config/plugin.yaml
subPath: avp.yaml
name: cmp-plugin

# Important: Mount tools into $PATH
- name: custom-tools
subPath: argocd-vault-plugin
mountPath: /usr/local/bin/argocd-vault-plugin

- name: avp-helm
command: [/var/run/argocd/argocd-cmp-server]
image: quay.io/argoproj/argocd:v2.8.4
env:
- name: AVP_SECRET
value: guardian:avp-prod
securityContext:
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: tmp
- mountPath: /home/argocd/cmp-server/config/plugin.yaml
subPath: avp-helm.yaml
name: cmp-plugin
- name: custom-tools
subPath: argocd-vault-plugin
mountPath: /usr/local/bin/argocd-vault-plugin

- name: avp-helm-args
command: [/var/run/argocd/argocd-cmp-server]
image: quay.io/argoproj/argocd:v2.8.4
env:
- name: AVP_SECRET
value: guardian:avp-prod
securityContext:
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: tmp
- mountPath: /home/argocd/cmp-server/config/plugin.yaml
subPath: avp-helm-args.yaml
name: cmp-plugin
- name: custom-tools
subPath: argocd-vault-plugin
mountPath: /usr/local/bin/argocd-vault-plugin

- name: avp-helm-values
command: [/var/run/argocd/argocd-cmp-server]
image: quay.io/argoproj/argocd:v2.8.4
env:
- name: AVP_SECRET
value: guardian:avp-prod
securityContext:
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: tmp
- mountPath: /home/argocd/cmp-server/config/plugin.yaml
subPath: avp-helm-values.yaml
name: cmp-plugin
- name: custom-tools
subPath: argocd-vault-plugin
mountPath: /usr/local/bin/argocd-vault-plugin

- name: avp-kustomize
command: [/var/run/argocd/argocd-cmp-server]
image: quay.io/argoproj/argocd:v2.8.4
env:
- name: AVP_SECRET
value: guardian:avp-prod
securityContext:
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: tmp
- mountPath: /home/argocd/cmp-server/config/plugin.yaml
subPath: avp-kustomize.yaml
name: cmp-plugin
- name: custom-tools
subPath: argocd-vault-plugin
mountPath: /usr/local/bin/argocd-vault-plugin

volumes:
- configMap:
name: argocd-cmp-cm
name: cmp-plugin
- name: custom-tools
emptyDir: {}
applicationSet:
replicas: 2

configs:
# General Argo CD configuration
## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml
cm:
url: "https://argocd.nsl.xyz"
dex.config: |
connectors:
# GitHub example
- type: github
id: github
name: GitHub
config:
issuer: https://account.nsl.xyz/auth/realms/google
clientID: argocd
clientSecret: $oidc.keycloak.clientSecret
redirectURI: https://argocd.nsl.xyz/dex/callback
scopes:
- openid
- profile
- email
insecureSkipEmailVerified: true
insecureEnableGroups: true
userIDKey: email
userNameKey: email
# OIDC configuration as an alternative to dex (optional).
# oidc.config: |
# name: Keycloak
# issuer: https://account.nsl.xyz/auth/realms/google
# clientID: argocd
# clientSecret: $oidc.keycloak.clientSecret
# requestedScopes: ["email"]
# rootCA: |
# -----BEGIN CERTIFICATE-----
# ... encoded certificate data here ...
# -----END CERTIFICATE-----
# requestedIDTokenClaims:
# groups:
# essential: true
# requestedScopes:
# - openid
# - profile
# - email

params:
server.insecure: true

# ConfigMap for Config Management Plugins
# Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/config-management-plugins/
cmp:
create: true
plugins:
avp-helm:
allowConcurrency: true
discover:
find:
command:
- sh
- "-c"
- "find . -name 'Chart.yaml' && find . -name 'values.yaml'"
generate:
command:
- bash
- "-c"
- helm template $ARGOCD_APP_NAME --include-crds . | argocd-vault-plugin generate -s ${AVP_SECRET} -
lockRepo: false
avp-helm-args:
allowConcurrency: true
discover:
find:
command:
- sh
- "-c"
- "find . -name 'Chart.yaml' && find . -name 'values.yaml'"
generate:
command:
- bash
- "-c"
- |
helm template $ARGOCD_APP_NAME --include-crds -n $ARGOCD_APP_NAMESPACE ${ARGOCD_ENV_HELM_ARGS} . |
argocd-vault-plugin generate -s ${AVP_SECRET} -
lockRepo: false
avp-helm-values:
allowConcurrency: true
discover:
find:
command:
- sh
- "-c"
- "find . -name 'Chart.yaml' && find . -name 'values.yaml'"
generate:
command:
- bash
- "-c"
- |
helm template "$ARGOCD_APP_NAME" -f <(echo "$ARGOCD_ENV_HELM_VALUES") . |
argocd-vault-plugin generate -s ${AVP_SECRET} -
lockRepo: false
avp-kustomize:
allowConcurrency: true
discover:
find:
command:
- sh
- "-c"
- "find . -name '*.yaml' | xargs -I {} grep \"<path\\|avp\\.kubernetes\\.io\" {} | grep ."
generate:
command:
- sh
- "-c"
- kustomize build . | argocd-vault-plugin generate -s ${AVP_SECRET} -
lockRepo: false
avp:
allowConcurrency: true
discover:
find:
command:
- sh
- "-c"
- "find . -name '*.yaml' | xargs -I {} grep \"<path\\|avp\\.kubernetes\\.io\" {} | grep ."
generate:
command:
- argocd-vault-plugin
- generate
- "."
- "-s"
- "${AVP_SECRET}"
lockRepo: false

rbac:
# -- Create the argocd-rbac-cm configmap with ([Argo CD RBAC policy]) definitions.
# If false, it is expected the configmap will be created by something else.
# Argo CD will not work if there is no configmap created with the name above.
create: true

# -- Annotations to be added to argocd-rbac-cm configmap
annotations: { }

# -- The name of the default role which Argo CD will falls back to, when authorizing API requests (optional).
# If omitted or empty, users may be still be able to login, but will see no apps, projects, etc...
policy.default: ''

# -- File containing user-defined policies and role definitions.
# @default -- `''` (See [values.yaml])
policy.csv: |
p, role:org-admin, applications, *, */*, allow
p, role:org-admin, clusters, get, *, allow
p, role:org-admin, repositories, *, *, allow
p, role:org-admin, logs, get, *, allow
p, role:org-admin, exec, create, */*, allow
g, admin, role:org-admin
g, devops, role:org-admin
# -- OIDC scopes to examine during rbac enforcement (in addition to `sub` scope).
# The scope value can be a string, or a list of strings.
scopes: "[groups]"
2 changes: 2 additions & 0 deletions keyclock/prod/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
resources:
- route.yaml
2 changes: 2 additions & 0 deletions keyclock/prod/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ keycloak:
persistence:
deployPostgres: false

replicas: 2

extraEnv: |
- name: JAVA_OPTS
value: >-
Expand Down
Loading

0 comments on commit d94f0ec

Please sign in to comment.