update to 1.8.0

marmila · Jan 7, 2024 · 648a4ef · 648a4ef
2 parents de5f9b1 + 33d8cb8
commit 648a4ef
Show file tree

Hide file tree

Showing 56 changed files with 1,453 additions and 138 deletions.
diff --git a/README.md b/README.md
@@ -133,6 +133,16 @@ The following picture shows the set of opensource solutions used so far in the c
         <td><a href="https://external-secrets.io/">External Secrets Operator</a></td>
         <td>Sync Kubernetes Secrets from Hashicorp Vault</td>
     </tr>
+    <tr>
+        <td><img width="32" src="docs/assets/img/logos/keycloak.svg" alt="keycloak logo"></td>
+        <td><a href="https://www.keycloak.org/">Keycloak</a></td>
+        <td>Identity Access Management</td>
+    </tr>
+    <tr>
+        <td><img width="32" src="docs/assets/img/logos/OAuth2-proxy.svg" alt="oauth2-proxy logo"></td>
+        <td><a href="https://oauth2-proxy.github.io/oauth2-proxy/">OAuth2.0 Proxy</a></td>
+        <td>OAuth2.0 Proxy</td>
+    </tr>
     <tr>
         <td><img width="32" src="docs/assets/img/logos/velero.svg"></td>
         <td><a href="https://velero.io/">Velero</a></td>

diff --git a/ansible/create_vault_credentials.yml b/ansible/create_vault_credentials.yml
@@ -38,7 +38,7 @@
 
     - name: Create random passwords
       ansible.builtin.set_fact:
-        "{{ item }}": "{{ lookup('ansible.builtin.password', '/dev/null chars=ascii_letters,digits' ) }}"
+        "{{ item }}": "{{ lookup('ansible.builtin.password', '/dev/null length=32 chars=ascii_letters,digits' ) }}"
       with_items:
         - k3s_token
         - minio_root_password
@@ -53,6 +53,13 @@
         - elasticsearch_admin_password
         - elasticsearch_fluentd_password
         - elasticsearch_prometheus_password
+        - keycloak_admin_password
+        - keycloak_pi_password
+        - oauth2_proxy_client_secret
+        - oauth2_proxy_cookie
+        - oauth2_proxy_redis_password
+        - grafana_client_secret
+        - kibana_client_secret
 
     - name: Generate vault file
       ansible.builtin.template:

diff --git a/ansible/host_vars/gateway.yml b/ansible/host_vars/gateway.yml
@@ -37,6 +37,14 @@ dnsmasq_additional_dns_hosts:
     desc: "Monitor server"
     hostname: monitoring
     ip: 10.0.0.100
+  key_cloak:
+    desc: "Keycloak server"
+    hostname: sso
+    ip: 10.0.0.100
+  oauth2_proxy:
+    desc: "Oauth2 Proxy"
+    hostname: oauth2-proxy
+    ip: 10.0.0.100
   fluentd:
     desc: "Fluentd server"
     hostname: fluentd

diff --git a/ansible/tasks/create_basic_auth_credentials.yml b/ansible/tasks/create_basic_auth_credentials.yml
@@ -10,22 +10,22 @@
 - name: htpasswd utility
   shell:
     cmd: >-
-      htpasswd -nb {{ traefik_basic_auth_user }} {{ traefik_basic_auth_passwd }}
+      htpasswd -nb {{ ingress_basic_auth_user }} {{ ingress_basic_auth_passwd }}
   register: htpasswd
   changed_when: false
 
 - name: Set htpasswd pair
   set_fact:
-    traefik_auth_htpasswd_pair: "{{ htpasswd.stdout }}"
+    ingress_auth_htpasswd_pair: "{{ htpasswd.stdout }}"
 
 
-- name: Create/update traefik/basic_auth credentials
+- name: Create/update ingress/basic_auth credentials
   ansible.builtin.uri:
-    url: "https://{{ vault_dns }}:8200/v1/secret/data/traefik/basic_auth"
+    url: "https://{{ vault_dns }}:8200/v1/secret/data/ingress/basic_auth"
     method: POST
     headers:
       X-Vault-Token: "{{ token_data | community.hashi_vault.vault_login_token }}"
     body:
       data:
-        htpasswd-pair: "{{ traefik_auth_htpasswd_pair }}"
+        htpasswd-pair: "{{ ingress_auth_htpasswd_pair }}"
     body_format: json
diff --git a/ansible/vars/picluster.yml b/ansible/vars/picluster.yml
@@ -74,12 +74,12 @@ k3s_agent_config:
 
 
 ###########
-# Traefik #
+# Ingress #
 ###########
 
 # HTTP Basic auth credentials
-traefik_basic_auth_user: "{{ vault.traefik.admin.user }}"
-traefik_basic_auth_passwd: "{{ vault.traefik.admin.password }}"
+ingress_basic_auth_user: "{{ vault.ingress.admin.user }}"
+ingress_basic_auth_passwd: "{{ vault.ingress.admin.password }}"
 
 # DNS cluster service end-points
 traefik_dashboard_dns: "traefik.{{ dns_domain }}"
@@ -230,7 +230,7 @@ restic_environment:
 # Vault configuration
 #######################
 vault_hostname: "vault.picluster.marmilan.com"
-vault_version: 1.15.2
+vault_version: 1.15.4
 vault_dns: "{{ vault_hostname }}"
 vault_enable_tls: true
 custom_ca: false

diff --git a/ansible/vars/vault.yml.j2 b/ansible/vars/vault.yml.j2
@@ -10,11 +10,28 @@ vault:
   cluster:
     k3s:
      token: {{ k3s_token }}
-  # Traefik secrets
-  traefik:
+  # Ingress secrets
+  ingress:
     admin:
       user: admin
       password: {{ traefik_basic_auth_password }}
+  # Keycloak
+  keycloak:
+    admin:
+      user: admin
+      password: {{ keycloak_admin_password }}
+    picluster-admin:
+      user: piadmin
+      password: {{ keycloak_pi_password }}
+  # Oauth2-Proxy
+  oauth2-proxy:
+    oauth2:
+      client-id: oauth2-proxy
+      client-secret: {{ oauth2_proxy_client_secret }}
+    cookie:
+      cookie-secret: {{ oauth2_proxy_cookie }}
+    redis:
+      redis-password: {{ oauth2_proxy_redis_password }}
   # Minio S3 secrets
   minio:
     root:
@@ -53,6 +70,14 @@ vault:
     admin:
      user: admin
      password: {{ grafana_admin_password }}
+    oauth2:
+      client-id: grafana
+      client-secret: {{ grafana_client_secret }}
+  # Kibana
+  kibana:
+    oauth2:
+      client-id: kibana
+      client-secret: {{ kibana_client_secret }}
   # Certmanager
   certmanager:
     ionos:

diff --git a/argocd/bootstrap/crds/kube-prometheus-stack/kustomization.yaml b/argocd/bootstrap/crds/kube-prometheus-stack/kustomization.yaml
@@ -2,8 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 # Kube-prometheus-stack cdrs.
-# Prometheus-operator CRDs v0.6.8
+# Prometheus-operator CRDs
 helmCharts:
 - name: prometheus-operator-crds
   repo: https://prometheus-community.github.io/helm-charts
-  version: "6.0.0"
+  version: "8.0.1"
diff --git a/argocd/bootstrap/root/values.yaml b/argocd/bootstrap/root/values.yaml
@@ -56,51 +56,59 @@ apps:
     namespace: longhorn-system
     path: argocd/system/longhorn-system
     syncWave: 8
+  - name: keycloak
+    namespace: keycloak
+    path: argocd/system/keycloak
+    syncWave: 9
+  - name: oauth2-proxy
+    namespace: oauth2-proxy
+    path: argocd/system/oauth2-proxy
+    syncWave: 10
     # Minio Object Storage
   - name: minio
     namespace: minio
     path: argocd/system/minio
-    syncWave: 9
+    syncWave: 11
     # Velero Backup
   - name: velero
     namespace: velero
     path: argocd/system/velero
-    syncWave: 10
+    syncWave: 12
     # Logging: Loki and EFK stack
   - name: logging
     namespace: logging
     path: argocd/system/logging
-    syncWave: 11
+    syncWave: 13
     # Kube-prometheus-stack
   - name: monitoring
     namespace: monitoring
     path: argocd/system/monitoring
-    syncWave: 12
+    syncWave: 14
     helm:
       # skip installation kube-prometheus-stack CDRs
       skipCrds: true
     # Linkerd-viz
   - name: linkerd-viz
     namespace: linkerd-viz
     path: argocd/system/linkerd-viz
-    syncWave: 13
+    syncWave: 15
     # Tracing: Tempo
   - name: tracing
     namespace: tracing
     path: argocd/system/tracing
-    syncWave: 14
+    syncWave: 16
     # Linkerd-jaeger
   - name: linkerd-jaeger
     namespace: linkerd-jaeger
     path: argocd/system/linkerd-jaeger
-    syncWave: 15
+    syncWave: 17
     # Argo CD App
   - name: argocd
     namespace: argocd
     path: argocd/bootstrap/argocd
-    syncWave: 16
+    syncWave: 18
     # Kafka App
   - name: kafka
     namespace: kafka
     path: argocd/system/kafka
-    syncWave: 17
+    syncWave: 19
diff --git a/argocd/system/keycloak/Chart.yaml b/argocd/system/keycloak/Chart.yaml
@@ -0,0 +1,7 @@
+apiVersion: v2
+name: keycloak
+version: 0.0.0
+dependencies:
+  - name: keycloak
+    version: 17.3.6
+    repository: https://charts.bitnami.com/bitnami