feat: add keycloak for SSO

Refs: #13 Signed-off-by: Wim de Groot <[email protected]>
wim-de-groot · Nov 10, 2024 · 379049a · 379049a
1 parent 19e0f38
commit 379049a
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 4 deletions.
diff --git a/apps/authorization/keycloak/templates/certificate.yaml b/apps/authorization/keycloak/templates/certificate.yaml
@@ -17,3 +17,9 @@ spec:
   issuerRef:
     name: cloudflare
     kind: ClusterIssuer
+  secretTemplate:
+    annotations:
+      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "home-automation"
+      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "home-automation" 
diff --git a/apps/cert-manager/cert-manager/Chart.yaml b/apps/cert-manager/cert-manager/Chart.yaml
@@ -5,3 +5,6 @@ dependencies:
   - name: cert-manager
     version: v1.9.1
     repository: https://charts.jetstack.io 
+  - name: reflector
+    version: 7.1.288
+    repository: https://emberstack.github.io/helm-charts
diff --git a/apps/crossplane/crossplane/Chart.yaml b/apps/crossplane/crossplane/Chart.yaml
@@ -0,0 +1,7 @@
+apiVersion: v2
+name: crossplane
+version: 1.0.0
+dependencies:
+  - name: crossplane
+    version: 1.18.0
+    repository: https://charts.crossplane.io/stable
diff --git a/apps/home-automation/mealie/configmap.yaml b/apps/home-automation/mealie/configmap.yaml
@@ -7,11 +7,15 @@ metadata:
     app.kubernetes.io/instance: home-automation-mealie	
     app.kubernetes.io/name: mealie	
 data:	
-  ALLOW_SIGNUP: 'false'	
-  BASE_URL: 'http://mealie.homelab.com'	
+  OIDC_AUTH_ENABLED: 'true'
+  OIDC_AUTO_REDIRECT: 'false'
+  OIDC_PROVIDER_NAME: 'SSO'
+  BASE_URL: 'https://mealie.wimandnaomishome.com:443'	
+  OIDC_CONFIGURATION_URL: 'https://authorization-keycloak.authorization.svc.cluster.local/realms/master/.well-known/openid-configuration'
   DEFAULT_GROUP: Home	
   MAX_WORKERS: '1'	
   PGID: '1000'	
   PUID: '1000'	
   TZ: Europe/Amsterdam	
-  WEB_CONCURRENCY: '1'	
+  WEB_CONCURRENCY: '1'
+  LOG_LEVEL: debug
diff --git a/apps/home-automation/mealie/deployment.yaml b/apps/home-automation/mealie/deployment.yaml
@@ -6,7 +6,13 @@ metadata:
     app.kubernetes.io/instance: home-automation-mealie	
     app.kubernetes.io/name: mealie	
 spec:
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 0
+      maxSurge: 10
   replicas: 1
+  revisionHistoryLimit: 1
   selector:
     matchLabels:
       app.kubernetes.io/instance: home-automation-mealie	
@@ -20,7 +26,7 @@ spec:
     spec:
       containers:
         - name: mealie
-          image: docker.io/wimdegroot/mealie:test-v3
+          image: docker.io/wimdegroot/mealie:test-v5
           env:
             - name: DB_ENGINE 
               value: postgres
@@ -43,10 +49,22 @@ spec:
                 secretKeyRef:
                   name: mealie-app
                   key: dbname
+            - name: OIDC_CLIENT_ID 
+              valueFrom:
+                secretKeyRef:
+                  name: mealie
+                  key: OIDC_CLIENT_ID  
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: mealie
+                  key: OIDC_CLIENT_SECRET 
             - name: TLS_CERTIFICATE_PATH
               value: /etc/tls/tls.crt
             - name: TLS_PRIVATE_KEY_PATH
               value: /etc/tls/tls.key
+            - name: OIDC_TLS_CACERTFILE
+              value: /etc/trust/tls.crt
           envFrom:
             - configMapRef:
                 name: mealie
@@ -66,6 +84,8 @@ spec:
               name: mealie-data
             - mountPath: /etc/tls
               name: mealie-tls
+            - mountPath: /etc/trust
+              name: keycloak-tls
           imagePullPolicy: IfNotPresent
           startupProbe:
             httpGet:
@@ -95,3 +115,6 @@ spec:
         - name: mealie-tls
           secret:
             secretName: mealie-tls
+        - name: keycloak-tls
+          secret:
+            secretName: keycloak-tls
diff --git a/apps/home-automation/mealie/sealed-secret.yaml b/apps/home-automation/mealie/sealed-secret.yaml
@@ -0,0 +1,14 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: mealie
+  namespace: home-automation
+spec:
+  encryptedData:
+    OIDC_CLIENT_ID: AgBPWaFLzdA0uAwtvIQXLWcV7qWkF2D3DbtbTNfBC33BUa0ruumVOBEFigbmRYNHepvTU6e6QHlAk6lLlGjENuRcYQQX49SAVkG86SdMh0PjZq7XB4xkH0/chVdjxq///OteW0G81kIQe/cDeuxknDfSS6pgJJnO8DG633hJ7RLZvXB2s9jQ2xZAUxvAusqwXDNHmOO1exvVJNfoC3c2l2XTB1RuhcPMRIXYei1hmdg3aV+zy/xzI4a8ettA9uEhk4pwfVxHxN9nzIpcYrNeV5wHu0+rhmWK4Y3cjzt5XqrlHdmXr7BAHhe2zqHAIlHch7GNaTEw7fFz6K6cPJea49PyAQKJVPMQPwcmXwYRzrcVpUpmS8VwUXx2b3zgCsu3SbbGGCzwjddSkDbjWQZvuvNr19J/6T+7bozqwy510Z0UAvkg+FbjCQL5dAF08UuoYt0dZrCUQJp4R9404OLpHlQtfg1Eyui162TBzofe/b1PeLdQCdhN9+8KRMjLUCfPnbXrx4FOaO6diZo5C3waqBSNW8K/bGpIySvOse5wgusz0o7pMHD04jt/j+F0xj9BkhN/O5JIhdaTxF2IGRjzb8Ii3CLfSjZq3VFsE5r5dOgMe4HTur934kcZz51ucQpLlDtgdZ8uB3rov/CPfi8MC3rIZHc90ab2FOPmz2rGegg21d6nXI7YPwBx9soih58FW2pgXO22MNWq
+    OIDC_CLIENT_SECRET: AgBUysLy97aI5FQG26jJanHUGQ4UfWdl3FiFvodOBhbTb6yKplHHULxaqIzkwP+TP9Z9daWYb6Ii85PdOAbfl0OXy6yrHkM9ECLg4uDNzuP7u98c0Ay9YS5eVQnvBD5xbRf/od+w9c2UJApaIHuEbFyHYkEBAF37xemRRdfRSdiHT1WvClwak52cwI+rpTGQ/DkTskUQRCr0g4yNJRRFyHT9iNk0LVPipB+gN7AbS+KhOUlDBvw1f0P1qgmsUOdi9SAOlI6zMGBcAwit6xh7lSEkLoU4FXGMe2sDIu2zBrnwyzVcLzhV1sqNRvbgAfYfqP9f1UXMF/9xioFbe8Z/PAK+iGln5Oe718TRJQ2u607kRdjIstHgpZwmPSvf5VxmACSQs7DvwZia6gGDYsqSpxXHmlEWEEROeYtNMfWi7DHWPzEuEQ1MluVyVoTpxhfWSVIjbU2ehvjDfRfSGtuZTv65lc3LOlpME9zMDXAxxXwMQiW048GZKuRqEKYNsEiG75moXiKItwFfGYazivKIA2vPdheGP8AC9bYUVnFTCOiI8vISmdwYm62qqhFA0WISe453LQ4I84oahHqUc/KbvKDqIJOZI1wVoBMuuh87NLeTVcgN0J3qDBJ6+QAnSNrdMN8070Y0HpHQ8uKFgr32c32+0Bfwn6UhaO+UCPXmxGuuZbkSxlNc9Y6PTcpK3eDWV2dHFbzQfmDQz3L2rNOwcXbLa9gmeDku+fyDTIgUczngqA==
+  template:
+    metadata:
+      name: mealie
+      namespace: home-automation
+    type: Opaque