Switch OIDC provider

2023-04-13 10:11:13 +02:00 · 2023-04-13 10:11:13 +02:00 · 572b7df74c
commit 572b7df74c
parent ee08fd47b5
1 changed files with 58 additions and 39 deletions
--- a/ansible/vars/metacluster.yml
+++ b/ansible/vars/metacluster.yml
@ -3,12 +3,6 @@ platform:
  k3s:
    version: v1.26.3+k3s1
  # gitops:
  #   repository:
  #     uri: https://code.spamasaurus.com/djpbessems/GitOps.MetaCluster.git
  #     # revision: v0.1.0
  #     revision: HEAD
  packaged_components:
    - name: traefik
      namespace: kube-system
@ -39,8 +33,10 @@ platform:
  helm_repositories:
    - name: argo
      url: https://argoproj.github.io/argo-helm
-    - name: codecentric
+    - name: authentik
-      url: https://codecentric.github.io/helm-charts
+      url: https://charts.goauthentik.io
    # - name: codecentric
    #   url: https://codecentric.github.io/helm-charts
    # - name: dex
    #   url: https://charts.dexidp.io
    - name: gitea-charts
@ -75,6 +71,29 @@ components:
            hosts:
              - gitops.{{ vapp['metacluster.fqdn'] }}
  authentik:
    helm:
      version: 2023.3.1
      chart: authentik/authentik
      parse_logic: helm template . --set postgresql.enabled=true,redis.enabled=true | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
      chart_values: !unsafe |
        authentik:
          secret_key: {{ lookup('ansible.builtin.password', '/dev/null length=64 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}
          postgresql:
            password: {{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}
        ingress:
          enabled: true
          hosts:
            - host: auth.{{ vapp['metacluster.fqdn'] }}
              paths:
                - path: "/"
                  pathType: Prefix
        postgresql:
          enabled: true
          postgresqlPassword: {{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_lowercase,digits seed=' ~ vapp['guestinfo.hostname']) }}
        redis:
          enabled: true
  cert-manager:
    helm:
      version: 1.11.0
@ -203,37 +222,37 @@ components:
            registry:
              size: 25Gi
-  keycloakx:
+  # keycloakx:
-    helm:
+  #   helm:
-      version: 2.1.1  # (= Keycloak 20.0.3)
+  #     version: 2.1.1  # (= Keycloak 20.0.3)
-      chart: codecentric/keycloakx
+  #     chart: codecentric/keycloakx
-      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
+  #     parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
-      chart_values: !unsafe |
+  #     chart_values: !unsafe |
-        command:
+  #       command:
-          - "/opt/keycloak/bin/kc.sh"
+  #         - "/opt/keycloak/bin/kc.sh"
-          - "start"
+  #         - "start"
-          - "--http-enabled=true"
+  #         - "--http-enabled=true"
-          - "--http-port=8080"
+  #         - "--http-port=8080"
-          - "--hostname-strict=false"
+  #         - "--hostname-strict=false"
-          - "--hostname-strict-https=false"
+  #         - "--hostname-strict-https=false"
-        extraEnv: |
+  #       extraEnv: |
-          - name: KEYCLOAK_ADMIN
+  #         - name: KEYCLOAK_ADMIN
-            value: admin
+  #           value: admin
-          - name: KEYCLOAK_ADMIN_PASSWORD
+  #         - name: KEYCLOAK_ADMIN_PASSWORD
-            value: {{ vapp['metacluster.password'] }}
+  #           value: {{ vapp['metacluster.password'] }}
-          - name: KC_PROXY
+  #         - name: KC_PROXY
-            value: "passthrough"
+  #           value: "passthrough"
-          - name: JAVA_OPTS_APPEND
+  #         - name: JAVA_OPTS_APPEND
-            value: >-
+  #           value: >-
-              -Djgroups.dns.query={% raw %}{{ include "keycloak.fullname" . }}{% endraw %}-headless
+  #             -Djgroups.dns.query={% raw %}{{ include "keycloak.fullname" . }}{% endraw %}-headless
-        ingress:
+  #       ingress:
-          enabled: true
+  #         enabled: true
-          rules:
+  #         rules:
-            - host: keycloak.{{ vapp['metacluster.fqdn'] }}
+  #           - host: keycloak.{{ vapp['metacluster.fqdn'] }}
-              paths:
+  #             paths:
-                - path: /
+  #               - path: /
-                  pathType: Prefix
+  #                 pathType: Prefix
-          tls: []
+  #         tls: []
  kube-prometheus-stack:
    helm: