From 4f02ff777e458500dc623c2e66557130f807d8a7 Mon Sep 17 00:00:00 2001
From: Dan Ankers <md1clv@md1clv.com>
Date: Thu, 28 Sep 2023 19:19:58 +0100
Subject: [PATCH] Add Keycloak provider and Keycloak Gitea client

---
 .gitignore |  1 +
 main.tf    | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 vars.tf    |  8 ++++++
 3 files changed, 89 insertions(+)

diff --git a/.gitignore b/.gitignore
index 55c0266..220726b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 .terraform/
 terraform.tfstate
 terraform.tfstate.backup
+secret_vars.tf
diff --git a/main.tf b/main.tf
index cdf2a00..0aaa715 100644
--- a/main.tf
+++ b/main.tf
@@ -8,6 +8,10 @@ terraform {
       source = "hashicorp/kubernetes"
       version = "~> 2.23.0"
     }
+    keycloak = {
+      source = "mrparkers/keycloak"
+      version = "4.3.1"
+    }
   }
 }
 
@@ -21,6 +25,12 @@ provider "helm" {
   }
 }
 
+provider "keycloak" {
+  client_id = "terraform"
+  client_secret = var.keycloak_client_secret
+  url = "https://keycloak.${var.domain_suffix}"
+}
+
 resource "kubernetes_namespace" "gitea_ns" {
   metadata {
     name = var.gitea_namespace
@@ -70,3 +80,73 @@ resource "helm_release" "gitea" {
   }
 }
 
+resource "helm_release" "keycloak" {
+  name                       = "keycloak"
+  namespace                  = var.keycloak_namespace
+  repository                 = "https://charts.bitnami.com/bitnami/"
+  chart                      = "keycloak"
+  create_namespace           = true
+
+  set {
+    name = "auth.adminPassword"
+    value = var.keycloak_admin_pass
+  }
+
+  set {
+    name = "auth.adminUser"
+    value = "admin"
+  }
+  
+  set {
+    name = "global.storageClass"
+    value = var.storageclass
+  }
+  
+  set {
+    name = "ingress.annotations.cert-manager\\.io/cluster-issuer"
+    value = "letsencrypt-prod"
+  }
+
+  set {
+    name = "ingress.enabled"
+    value = "true"
+  }
+
+  set {
+    name = "ingress.hostname"
+    value = "keycloak.${var.domain_suffix}"
+  }
+
+  set {
+    name = "ingress.tls"
+    value = "true"
+  }
+
+  set {
+    name = "postgresql.auth.password"
+    value = var.postgres_password
+  }
+
+  set {
+    name = "proxy"
+    value = "edge"
+  }
+}
+
+resource "keycloak_realm" "realm" {
+  realm   = "DC_Cloud"
+  enabled = true
+  default_signature_algorithm = "RS256"
+}
+
+resource "keycloak_openid_client" "gitea_client" {
+  realm_id            = keycloak_realm.realm.id
+  client_id           = "gitea"
+
+  enabled             = true
+
+  access_type         = "CONFIDENTIAL"
+  valid_redirect_uris = [
+    "https://gitea.${var.domain_suffix}/*"
+  ]
+}
diff --git a/vars.tf b/vars.tf
index c643fcc..1a6995a 100644
--- a/vars.tf
+++ b/vars.tf
@@ -9,3 +9,11 @@ variable "storageclass" {
 variable "domain_suffix" {
   default = "k8s.md1clv.im"
 }
+
+variable "keycloak_namespace" {
+  default = "keycloak"
+}
+
+variable "keycloak_realm" {
+  default = "DC_Cloud"
+}