From 75277e285afb20821ee40892dc6b99dce8e06982 Mon Sep 17 00:00:00 2001 From: Danny Bessems Date: Sun, 9 Apr 2023 20:04:11 +0200 Subject: [PATCH] Switch oidc provider --- ansible/vars/metacluster.yml | 118 +++++++++++++++++++++-------------- 1 file changed, 71 insertions(+), 47 deletions(-) diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml index 1e77e4d..01ef0cc 100644 --- a/ansible/vars/metacluster.yml +++ b/ansible/vars/metacluster.yml @@ -39,8 +39,10 @@ platform: helm_repositories: - name: argo url: https://argoproj.github.io/argo-helm - - name: dex - url: https://charts.dexidp.io + - name: codecentric + url: https://codecentric.github.io/helm-charts + # - name: dex + # url: https://charts.dexidp.io - name: gitea-charts url: https://dl.gitea.io/charts/ - name: harbor @@ -99,53 +101,53 @@ components: node_template: url: https://{{ repo_username }}:{{ repo_password }}@sn.itch.fyi/Repository/rel/ubuntu-2004-kube-v1.26.3.ova - dex: - helm: - version: 0.13.0 # (= Dex 2.35.3) - chart: dex/dex - parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' - chart_values: !unsafe | - config: - connectors: - - type: ldap - id: ldap - name: "LDAP" - config: - host: "{{ vapp['ldap.fqdn'] }}:636" - insecureNoSSL: false - insecureSkipVerify: true - bindDN: "{{ vapp['ldap.dn'] }}" - bindPW: "{{ vapp['ldap.password'] }}" + # dex: + # helm: + # version: 0.13.0 # (= Dex 2.35.3) + # chart: dex/dex + # parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' + # chart_values: !unsafe | + # config: + # connectors: + # - type: ldap + # id: ldap + # name: "LDAP" + # config: + # host: "{{ vapp['ldap.fqdn'] }}:636" + # insecureNoSSL: false + # insecureSkipVerify: true + # bindDN: "{{ vapp['ldap.dn'] }}" + # bindPW: "{{ vapp['ldap.password'] }}" - usernamePrompt: "Username" - userSearch: - baseDN: OU=Administrators,OU=Useraccounts,DC=bessems,DC=eu - filter: "(objectClass=person)" - username: userPrincipalName - idAttr: DN - emailAttr: userPrincipalName - nameAttr: cn + # usernamePrompt: "Username" + # userSearch: + # baseDN: OU=Administrators,OU=Useraccounts,DC=bessems,DC=eu + # filter: "(objectClass=person)" + # username: userPrincipalName + # idAttr: DN + # emailAttr: userPrincipalName + # nameAttr: cn - groupSearch: - baseDN: OU=Roles,OU=Groups,DC=bessems,DC=eu - filter: "(objectClass=group)" - userMatchers: - - userAttr: DN - groupAttr: member - nameAttr: cn - enablePasswordDB: true - issuer: https://oidc.{{ vapp['metacluster.fqdn'] }} - storage: - type: kubernetes - config: - inCluster: true - ingress: - enabled: true - hosts: - - host: oidc.{{ vapp['metacluster.fqdn'] }} - paths: - - path: / - pathType: Prefix + # groupSearch: + # baseDN: OU=Roles,OU=Groups,DC=bessems,DC=eu + # filter: "(objectClass=group)" + # userMatchers: + # - userAttr: DN + # groupAttr: member + # nameAttr: cn + # enablePasswordDB: true + # issuer: https://oidc.{{ vapp['metacluster.fqdn'] }} + # storage: + # type: kubernetes + # config: + # inCluster: true + # ingress: + # enabled: true + # hosts: + # - host: oidc.{{ vapp['metacluster.fqdn'] }} + # paths: + # - path: / + # pathType: Prefix gitea: helm: @@ -201,6 +203,28 @@ components: registry: size: 25Gi + keycloakx: + helm: + version: 2.1.1 # (= Keycloak 20.0.3) + chart: codecentric/keycloakx + parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /' + chart_values: !unsafe | + command: + - "/opt/keycloak/bin/kc.sh" + - "start" + - "--http-enabled=true" + - "--http-port=8080" + - "--hostname-strict=false" + - "--hostname-strict-https=false" + extraEnv: | + - name: KEYCLOAK_ADMIN + value: admin + - name: KEYCLOAK_ADMIN_PASSWORD + value: {{ vapp['metacluster.password'] }} + - name: JAVA_OPTS_APPEND + value: >- + -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless + kube-prometheus-stack: helm: version: 45.2.0