Switch oidc provider

ansible/vars/metacluster.yml

@@ -39,8 +39,10 @@ platform:
   helm_repositories:
     - name: argo
       url: https://argoproj.github.io/argo-helm
-    - name: dex
+    - name: codecentric
-      url: https://charts.dexidp.io
+      url: https://codecentric.github.io/helm-charts
+    # - name: dex
+    #   url: https://charts.dexidp.io
     - name: gitea-charts
       url: https://dl.gitea.io/charts/
     - name: harbor
@@ -99,53 +101,53 @@ components:
       node_template:
         url: https://{{ repo_username }}:{{ repo_password }}@sn.itch.fyi/Repository/rel/ubuntu-2004-kube-v1.26.3.ova
 
-  dex:
+  # dex:
-    helm:
+  #   helm:
-      version: 0.13.0 # (= Dex 2.35.3)
+  #     version: 0.13.0 # (= Dex 2.35.3)
-      chart: dex/dex
+  #     chart: dex/dex
-      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
+  #     parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
-      chart_values: !unsafe |
+  #     chart_values: !unsafe |
-        config:
+  #       config:
-          connectors:
+  #         connectors:
-            - type: ldap
+  #           - type: ldap
-              id: ldap
+  #             id: ldap
-              name: "LDAP"
+  #             name: "LDAP"
-              config:
+  #             config:
-                host: "{{ vapp['ldap.fqdn'] }}:636"
+  #               host: "{{ vapp['ldap.fqdn'] }}:636"
-                insecureNoSSL: false
+  #               insecureNoSSL: false
-                insecureSkipVerify: true
+  #               insecureSkipVerify: true
-                bindDN: "{{ vapp['ldap.dn'] }}"
+  #               bindDN: "{{ vapp['ldap.dn'] }}"
-                bindPW: "{{ vapp['ldap.password'] }}"
+  #               bindPW: "{{ vapp['ldap.password'] }}"
 
-                usernamePrompt: "Username"
+  #               usernamePrompt: "Username"
-                userSearch:
+  #               userSearch:
-                  baseDN: OU=Administrators,OU=Useraccounts,DC=bessems,DC=eu
+  #                 baseDN: OU=Administrators,OU=Useraccounts,DC=bessems,DC=eu
-                  filter: "(objectClass=person)"
+  #                 filter: "(objectClass=person)"
-                  username: userPrincipalName
+  #                 username: userPrincipalName
-                  idAttr: DN
+  #                 idAttr: DN
-                  emailAttr: userPrincipalName
+  #                 emailAttr: userPrincipalName
-                  nameAttr: cn
+  #                 nameAttr: cn
 
-                groupSearch:
+  #               groupSearch:
-                  baseDN: OU=Roles,OU=Groups,DC=bessems,DC=eu
+  #                 baseDN: OU=Roles,OU=Groups,DC=bessems,DC=eu
-                  filter: "(objectClass=group)"
+  #                 filter: "(objectClass=group)"
-                  userMatchers:
+  #                 userMatchers:
-                  - userAttr: DN
+  #                 - userAttr: DN
-                    groupAttr: member
+  #                   groupAttr: member
-                  nameAttr: cn
+  #                 nameAttr: cn
-          enablePasswordDB: true
+  #         enablePasswordDB: true
-          issuer: https://oidc.{{ vapp['metacluster.fqdn'] }}
+  #         issuer: https://oidc.{{ vapp['metacluster.fqdn'] }}
-          storage:
+  #         storage:
-            type: kubernetes
+  #           type: kubernetes
-            config:
+  #           config:
-              inCluster: true
+  #             inCluster: true
-        ingress:
+  #       ingress:
-          enabled: true
+  #         enabled: true
-          hosts:
+  #         hosts:
-            - host: oidc.{{ vapp['metacluster.fqdn'] }}
+  #           - host: oidc.{{ vapp['metacluster.fqdn'] }}
-              paths:
+  #             paths:
-                - path: /
+  #               - path: /
-                  pathType: Prefix
+  #                 pathType: Prefix
 
   gitea:
     helm:
@@ -201,6 +203,28 @@ components:
             registry:
               size: 25Gi
 
+  keycloakx:
+    helm:
+      version: 2.1.1  # (= Keycloak 20.0.3)
+      chart: codecentric/keycloakx
+      parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sort -u | awk '!/ /'
+      chart_values: !unsafe |
+        command:
+          - "/opt/keycloak/bin/kc.sh"
+          - "start"
+          - "--http-enabled=true"
+          - "--http-port=8080"
+          - "--hostname-strict=false"
+          - "--hostname-strict-https=false"
+        extraEnv: |
+          - name: KEYCLOAK_ADMIN
+            value: admin
+          - name: KEYCLOAK_ADMIN_PASSWORD
+            value: {{ vapp['metacluster.password'] }}
+          - name: JAVA_OPTS_APPEND
+            value: >-
+              -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless
+
   kube-prometheus-stack:
     helm:
       version: 45.2.0