Add Keycloak provider and Keycloak Gitea client

2023-09-28 19:19:58 +01:00 · 2023-09-28 19:19:58 +01:00 · 4f02ff777e
parent d97354ffc0
commit 4f02ff777e
3 changed files with 89 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,4 @@
 .terraform/
 terraform.tfstate
 terraform.tfstate.backup
+secret_vars.tf
--- a/main.tf
+++ b/main.tf
@ -8,6 +8,10 @@ terraform {
      source = "hashicorp/kubernetes"
      version = "~> 2.23.0"
    }
+    keycloak = {
+      source = "mrparkers/keycloak"
+      version = "4.3.1"
+    }
  }
 }

@ -21,6 +25,12 @@ provider "helm" {
  }
 }

+provider "keycloak" {
+  client_id = "terraform"
+  client_secret = var.keycloak_client_secret
+  url = "https://keycloak.${var.domain_suffix}"
+}
+
 resource "kubernetes_namespace" "gitea_ns" {
  metadata {
    name = var.gitea_namespace
@ -70,3 +80,73 @@ resource "helm_release" "gitea" {
  }
 }

+resource "helm_release" "keycloak" {
+  name                       = "keycloak"
+  namespace                  = var.keycloak_namespace
+  repository                 = "https://charts.bitnami.com/bitnami/"
+  chart                      = "keycloak"
+  create_namespace           = true
+
+  set {
+    name = "auth.adminPassword"
+    value = var.keycloak_admin_pass
+  }
+
+  set {
+    name = "auth.adminUser"
+    value = "admin"
+  }
+  
+  set {
+    name = "global.storageClass"
+    value = var.storageclass
+  }
+  
+  set {
+    name = "ingress.annotations.cert-manager\\.io/cluster-issuer"
+    value = "letsencrypt-prod"
+  }
+
+  set {
+    name = "ingress.enabled"
+    value = "true"
+  }
+
+  set {
+    name = "ingress.hostname"
+    value = "keycloak.${var.domain_suffix}"
+  }
+
+  set {
+    name = "ingress.tls"
+    value = "true"
+  }
+
+  set {
+    name = "postgresql.auth.password"
+    value = var.postgres_password
+  }
+
+  set {
+    name = "proxy"
+    value = "edge"
+  }
+}
+
+resource "keycloak_realm" "realm" {
+  realm   = "DC_Cloud"
+  enabled = true
+  default_signature_algorithm = "RS256"
+}
+
+resource "keycloak_openid_client" "gitea_client" {
+  realm_id            = keycloak_realm.realm.id
+  client_id           = "gitea"
+
+  enabled             = true
+
+  access_type         = "CONFIDENTIAL"
+  valid_redirect_uris = [
+    "https://gitea.${var.domain_suffix}/*"
+  ]
+}
--- a/vars.tf
+++ b/vars.tf
@ -9,3 +9,11 @@ variable "storageclass" {
 variable "domain_suffix" {
  default = "k8s.md1clv.im"
 }
+
+variable "keycloak_namespace" {
+  default = "keycloak"
+}
+
+variable "keycloak_realm" {
+  default = "DC_Cloud"
+}