Compare commits

...

4 commits

Author SHA1 Message Date
ce9d51e1cd [Skip-CI] Use ratelimit ingress 2024-08-27 16:31:52 +02:00
1d22c20da9 Add recommended key 2024-08-27 16:26:55 +02:00
861b43b4bf Add more todos 2024-08-27 16:26:42 +02:00
f98d4ab9b5 Get env from configmap and secret 2024-08-27 15:40:16 +02:00
5 changed files with 42 additions and 50 deletions

View file

@ -40,7 +40,7 @@
(postgres/generate-config config)
[(kc/generate-service config)
(kc/generate-deployment config)]
(kc/generate-ingress config)
(kc/generate-ratelimit-ingress config)
(when (contains? config :mon-cfg)
(mon/generate-config))))))

View file

@ -26,14 +26,17 @@
(defmethod yaml/load-resource :keycloak [resource-name]
(get (inline-resources "keycloak") resource-name)))
(defn-spec generate-ingress cp/map-or-seq?
(defn-spec generate-ratelimit-ingress seq?
[config config?]
(ing/generate-ingress-and-cert
(merge
{:service-name "keycloak"
:service-port 80
:fqdns [(:fqdn config)]}
config)))
(let [{:keys [fqdn max-rate max-concurrent-requests namespace]} config]
(ing/generate-simple-ingress (merge
{:service-name "forgejo-service"
:service-port 3000
:fqdns [fqdn]
:average-rate max-rate
:burst-rate max-concurrent-requests
:namespace namespace}
config))))
(defn-spec generate-secret cp/map-or-seq?
[config config?
@ -52,7 +55,7 @@
(->
(yaml/load-as-edn "keycloak/service.yaml")
(cm/replace-all-matching "NAMESPACE" namespace))))
; TODO: Fix test
(defn-spec generate-deployment cp/map-or-seq?
[config config?]
(let [{:keys [fqdn namespace]} config]

View file

@ -0,0 +1,20 @@
# TODO: Make generate-configmap function
apiVersion: v1
kind: ConfigMap
metadata:
name: keycloak-env
namespace: NAMESPACE
data:
KC_HTTPS_CERTIFICATE_FILE: /etc/certs/tls.crt
KC_HTTPS_CERTIFICATE_KEY_FILE: /etc/certs/tls.key
KC_HOSTNAME: FQDN
KC_HOSTNAME_ADMIN: ADMIN_FQDN
KC_PROXY: edge
DB_VENDOR: POSTGRES
DB_ADDR: postgresql-service
DB_SCHEMA: public
DB_DATABASE: postgres
# TODO Do we need to enable http, as we are behind ingress?
# KC_HTTP_ENABLED: true
# TODO Maybe also enable load shedding
# KC_HTTP_MAX_QUEUED_REQUESTS: 2000

View file

@ -15,6 +15,7 @@ spec:
labels:
app: keycloak
spec:
# TODO: Add Resource allocations
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:20.0.3
@ -25,46 +26,11 @@ spec:
- name: keycloak-cert
mountPath: /etc/certs
readOnly: true
env:
- name: KC_HTTPS_CERTIFICATE_FILE
value: /etc/certs/tls.crt
- name: KC_HTTPS_CERTIFICATE_KEY_FILE
value: /etc/certs/tls.key
- name: KC_HOSTNAME
value: FQDN
- name: KC_PROXY
value: edge
- name: DB_VENDOR
value: POSTGRES
- name: DB_ADDR
value: postgresql-service
- name: DB_SCHEMA
value: public
- name: DB_DATABASE
valueFrom:
configMapKeyRef:
name: postgres-config
key: postgres-db
- name: DB_USER
valueFrom:
secretKeyRef:
name: postgres-secret
key: postgres-user
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-secret
key: postgres-password
- name: KEYCLOAK_ADMIN
valueFrom:
secretKeyRef:
envFrom:
- configMapRef:
name: keycloak-env
- secretRef:
name: keycloak-secret
key: keycloak-user
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-secret
key: keycloak-password
ports:
- name: http
containerPort: 8080

View file

@ -1,3 +1,4 @@
# TODO: Update generate-secret function
apiVersion: v1
kind: Secret
metadata:
@ -5,5 +6,7 @@ metadata:
namespace: NAMESPACE
type: Opaque
data:
keycloak-user: admin
keycloak-password: admin
DB_USER: DBUSER
DB_PASSWORD: DBPW
KEYCLOAK_ADMIN: ADMIN_USER
KEYCLOAK_ADMIN_PASSWORD: ADMIN_PASS