From 572b7df74cae7fd2b37d67982ac967e8766abc90 Mon Sep 17 00:00:00 2001 From: Danny Bessems Date: Thu, 13 Apr 2023 10:11:13 +0200 Subject: [PATCH] Switch OIDC provider --- ansible/vars/metacluster.yml | 97 +++++++++++++++++++++--------------- 1 file changed, 58 insertions(+), 39 deletions(-) diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml index 7a71c83..a772e01 100644 --- a/ansible/vars/metacluster.yml +++ b/ansible/vars/metacluster.yml @@ -3,12 +3,6 @@ platform: k3s: version: v1.26.3+k3s1 - # gitops: - # repository: - # uri: https://code.spamasaurus.com/djpbessems/GitOps.MetaCluster.git - # # revision: v0.1.0 - # revision: HEAD - packaged_components: - name: traefik namespace: kube-system @@ -39,8 +33,10 @@ platform: helm_repositories: - name: argo url: https://argoproj.github.io/argo-helm - - name: codecentric - url: https://codecentric.github.io/helm-charts + - name: authentik + url: https://charts.goauthentik.io + # - name: codecentric + # url: https://codecentric.github.io/helm-charts # - name: dex # url: https://charts.dexidp.io - name: gitea-charts @@ -75,6 +71,29 @@ components: hosts: - gitops.{{ vapp['metacluster.fqdn'] }} + authentik: + helm: + version: 2023.3.1 + chart: authentik/authentik + parse_logic: helm template . --set postgresql.enabled=true,redis.enabled=true | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' + chart_values: !unsafe | + authentik: + secret_key: {{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }} + postgresql: + password: {{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }} + ingress: + enabled: true + hosts: + - host: auth.{{ vapp['metacluster.fqdn'] }} + paths: + - path: "/" + pathType: Prefix + postgresql: + enabled: true + postgresqlPassword: {{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }} + redis: + enabled: true + cert-manager: helm: version: 1.11.0 @@ -203,37 +222,37 @@ components: registry: size: 25Gi - keycloakx: - helm: - version: 2.1.1 # (= Keycloak 20.0.3) - chart: codecentric/keycloakx - parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' - chart_values: !unsafe | - command: - - "/opt/keycloak/bin/kc.sh" - - "start" - - "--http-enabled=true" - - "--http-port=8080" - - "--hostname-strict=false" - - "--hostname-strict-https=false" - extraEnv: | - - name: KEYCLOAK_ADMIN - value: admin - - name: KEYCLOAK_ADMIN_PASSWORD - value: {{ vapp['metacluster.password'] }} - - name: KC_PROXY - value: "passthrough" - - name: JAVA_OPTS_APPEND - value: >- - -Djgroups.dns.query={% raw %}{{ include "keycloak.fullname" . }}{% endraw %}-headless - ingress: - enabled: true - rules: - - host: keycloak.{{ vapp['metacluster.fqdn'] }} - paths: - - path: / - pathType: Prefix - tls: [] + # keycloakx: + # helm: + # version: 2.1.1 # (= Keycloak 20.0.3) + # chart: codecentric/keycloakx + # parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' + # chart_values: !unsafe | + # command: + # - "/opt/keycloak/bin/kc.sh" + # - "start" + # - "--http-enabled=true" + # - "--http-port=8080" + # - "--hostname-strict=false" + # - "--hostname-strict-https=false" + # extraEnv: | + # - name: KEYCLOAK_ADMIN + # value: admin + # - name: KEYCLOAK_ADMIN_PASSWORD + # value: {{ vapp['metacluster.password'] }} + # - name: KC_PROXY + # value: "passthrough" + # - name: JAVA_OPTS_APPEND + # value: >- + # -Djgroups.dns.query={% raw %}{{ include "keycloak.fullname" . }}{% endraw %}-headless + # ingress: + # enabled: true + # rules: + # - host: keycloak.{{ vapp['metacluster.fqdn'] }} + # paths: + # - path: / + # pathType: Prefix + # tls: [] kube-prometheus-stack: helm: