From 231ad99b78a5addcce7cfcd153e4e20ba622312b Mon Sep 17 00:00:00 2001 From: ansible Date: Tue, 10 Mar 2026 14:45:17 +0800 Subject: [PATCH] Update k8s manifests --- k8s/infrastructure/helmrepositories.yaml | 9 ++++ k8s/infrastructure/keycloak/helmrelease.yaml | 54 +++++++++++-------- k8s/infrastructure/kustomization.yaml | 2 +- k8s/infrastructure/sops/keycloak-secrets.yaml | 49 ++++------------- k8s/infrastructure/sops/kustomization.yaml | 2 +- 5 files changed, 55 insertions(+), 61 deletions(-) diff --git a/k8s/infrastructure/helmrepositories.yaml b/k8s/infrastructure/helmrepositories.yaml index 1b7a4fc..a197b6e 100644 --- a/k8s/infrastructure/helmrepositories.yaml +++ b/k8s/infrastructure/helmrepositories.yaml @@ -62,3 +62,12 @@ metadata: spec: interval: 1h url: https://guerzon.github.io/vaultwarden +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: codecentric + namespace: flux-system +spec: + interval: 1h + url: https://codecentric.github.io/helm-charts diff --git a/k8s/infrastructure/keycloak/helmrelease.yaml b/k8s/infrastructure/keycloak/helmrelease.yaml index 89aab1e..2d72801 100644 --- a/k8s/infrastructure/keycloak/helmrelease.yaml +++ b/k8s/infrastructure/keycloak/helmrelease.yaml @@ -14,35 +14,47 @@ spec: timeout: 10m chart: spec: - chart: keycloak - version: "24.0.x" + chart: keycloakx + version: "7.1.x" sourceRef: kind: HelmRepository - name: bitnami + name: codecentric namespace: flux-system values: - global: - imageRegistry: "" image: - registry: registry.hub.docker.com - repository: bitnami/keycloak - pullPolicy: Always - replicaCount: 1 - auth: - existingSecret: keycloak-admin-secret - postgresql: - enabled: false - externalDatabase: - host: pgbouncer.default.svc.cluster.local + repository: quay.io/keycloak/keycloak + tag: "26.5.5" + command: + - "/opt/keycloak/bin/kc.sh" + args: + - "start" + - "--hostname-strict=false" + - "--http-enabled=true" + - "--proxy-headers=xforwarded" + database: + vendor: postgres + hostname: pgbouncer.default.svc.cluster.local port: 6432 database: keycloak - existingSecret: keycloak-db-secret + username: keycloak + existingSecret: keycloak-secrets + existingSecretKey: db-password + http: + relativePath: "/" + extraEnvFrom: | + - secretRef: + name: keycloak-secrets ingress: enabled: true + ingressClassName: "" annotations: cert-manager.io/cluster-issuer: "n0ball-tw-issuer" - hostname: keycloak.n0ball.tw - tls: true - extraEnvVars: - - name: KC_PROXY - value: edge + rules: + - host: keycloak.n0ball.tw + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - keycloak.n0ball.tw + secretName: keycloak-tls diff --git a/k8s/infrastructure/kustomization.yaml b/k8s/infrastructure/kustomization.yaml index 408a2e9..a26595f 100644 --- a/k8s/infrastructure/kustomization.yaml +++ b/k8s/infrastructure/kustomization.yaml @@ -8,4 +8,4 @@ resources: - cert-manager/helmrelease.yaml - observability - openldap/helmrelease.yaml - # keycloak temporarily disabled - bitnami images removed from Docker Hub + - keycloak/helmrelease.yaml diff --git a/k8s/infrastructure/sops/keycloak-secrets.yaml b/k8s/infrastructure/sops/keycloak-secrets.yaml index f537f3c..09b9013 100644 --- a/k8s/infrastructure/sops/keycloak-secrets.yaml +++ b/k8s/infrastructure/sops/keycloak-secrets.yaml @@ -1,10 +1,12 @@ apiVersion: v1 kind: Secret metadata: - name: keycloak-admin-secret + name: keycloak-secrets namespace: keycloak stringData: - admin-password: ENC[AES256_GCM,data:+7omuVTQ4qU9uCZEujGcoSG/h+y0WgNhNw1esbMdhI0=,iv:k3sWbvscqkjnYnAi7DOxlKbJFR5h03VxH3OFA3UfvX8=,tag:iniKOfnUXn9ypYQtjXIoJw==,type:str] + KEYCLOAK_ADMIN: ENC[AES256_GCM,data:o5mNx7o=,iv:soEzNScj2yrfm/2kNjVZkdLpoJ2o3WRvo3xU7uJDSoM=,tag:JU4QjCzbGQGDMXdw4CHScA==,type:str] + KEYCLOAK_ADMIN_PASSWORD: ENC[AES256_GCM,data:a7L0xjS/VJ9m4j734bYefeStDtpjWgPOywtpKHZE3tA=,iv:iwbPwrYzOCsTe5NImNgEm4pyqwFNDE39ohE7GmaTYVo=,tag:IUucbe8pdaCAzlMViVaJdA==,type:str] + db-password: ENC[AES256_GCM,data:p8P9v+NFdSEO26eiOqhoY4w3Rrk1w0rC0U6xz/rv1UB9g+BwOLeGVtD7Qg==,iv:IXbRV5pV2psDHzRbJh1ce/+SMev2WPHe+704+GjsjpY=,tag:MKSdpDjt378Z+xZQVykE8g==,type:str] sops: kms: [] gcp_kms: [] @@ -14,43 +16,14 @@ sops: - recipient: age1y5rw08wm2s2hemapzf43c0l4xass7fhc55qh3n4cxtuxzrj8q3cqtydy7m enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXYXpsUWx6YmlqR1B4djJo - Tm9XcjQ4VmU4TU9heUpHU3lkSk1ESTY1cEFrClRPeWtaUFdxOHlrYUxmdVo5UVNV - WkNXaE5XbThjU1ZwZ1VqNDF1MnFNdDQKLS0tIEFvYkQyemZZaEsvMmJaYkJMTTVK - cklsUElqZ05DN290T2h5dlZTbjFvM1EKCxexgWQdHMAEHxoZaTvLcYZev0llmPwq - GsFTPX9yb2HvIP5WVg16Pe2snhyObUwK86yh9ELkH+646gFnEfNFtg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdWpnTjIzMk9OYkhCY0xN + SkxqZE0vRmFwQ1RHenFxWlFNenpGUllUUlJFCm1ZWnY3NlZKY01DY2Z0c1N2aDgx + Tkx2QnNBcXM1ajFWQUlmSWIwVHRYNW8KLS0tIEVYQi9zV3JkT2xLQXRZeTlJVHhG + TnQxd1hkR3Jva3BhSWZSaU85UlZCakUKoqHAYMdFkntk/8C3Kt4x1CoJ0NtPdvv1 + 6NR0YFmmg2+426Bh54+s0QN8wPgszNKmI8wWc6T3CcU6n2why58kQw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-10T05:17:08Z" - mac: ENC[AES256_GCM,data:JUnkiyPDixjze1A/xe2n9JntotPStrSiq9gjJLs0tT90QMtGCbo63FE8tNUHtRt7tAasDdc7fC0iKUoo1ZRhmZErVr0VxUOk7WTBUedi35W577XRw4hfjF1UiSI5ZGJatZh3LAtBpmOfyeLMYL+tG6NlgVj6ekKD6gubQXQ0REQ=,iv:1nUt5xPpXS0Fqn31LYpeILpB+2TUd0UElvZh+OIGcBg=,tag:hyAIjSFwgiQmXZDP9zn7BA==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.9.4 ---- -apiVersion: v1 -kind: Secret -metadata: - name: keycloak-db-secret - namespace: keycloak -stringData: - password: ENC[AES256_GCM,data:odKIDsYeo1Q/mSHfAK3AUJxUZD91nouEx6ox7wIbfKka+7+Q4gJDGryGzg==,iv:v2havxWV5OA9iab3sPe0wvdLw18BaUl5vaV1+IBnEE0=,tag:Lh4VZ2mEPozA0VZico5SYA==,type:str] - db-password: ENC[AES256_GCM,data:WqDfJASxz7/Oyz31L4xBj4mQvNczN6Pdd9s0FobjWilGz8L49uZkZtEChg==,iv:CgeiQ14EP2LYjMvJwZDi3b7pHgVn58tgpcbec2kqxAY=,tag:cRJV9KzWjkLzcqzVsXrmcQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1y5rw08wm2s2hemapzf43c0l4xass7fhc55qh3n4cxtuxzrj8q3cqtydy7m - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXYXpsUWx6YmlqR1B4djJo - Tm9XcjQ4VmU4TU9heUpHU3lkSk1ESTY1cEFrClRPeWtaUFdxOHlrYUxmdVo5UVNV - WkNXaE5XbThjU1ZwZ1VqNDF1MnFNdDQKLS0tIEFvYkQyemZZaEsvMmJaYkJMTTVK - cklsUElqZ05DN290T2h5dlZTbjFvM1EKCxexgWQdHMAEHxoZaTvLcYZev0llmPwq - GsFTPX9yb2HvIP5WVg16Pe2snhyObUwK86yh9ELkH+646gFnEfNFtg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-10T05:17:08Z" - mac: ENC[AES256_GCM,data:JUnkiyPDixjze1A/xe2n9JntotPStrSiq9gjJLs0tT90QMtGCbo63FE8tNUHtRt7tAasDdc7fC0iKUoo1ZRhmZErVr0VxUOk7WTBUedi35W577XRw4hfjF1UiSI5ZGJatZh3LAtBpmOfyeLMYL+tG6NlgVj6ekKD6gubQXQ0REQ=,iv:1nUt5xPpXS0Fqn31LYpeILpB+2TUd0UElvZh+OIGcBg=,tag:hyAIjSFwgiQmXZDP9zn7BA==,type:str] + lastmodified: "2026-03-10T06:43:24Z" + mac: ENC[AES256_GCM,data:g0Dg0oUsqt9np2ijA0eskVN9ijbfQMEkTI6wZUS5hqXMzImyJIbsmvM4/C5puns9gKNa56Xz4RzBTk1GMVqjwOSBcm5+SFEwpTfxOT8BWw3qAMcAJJoohqVA3whRErJSjmuvXeGnLYvK4mHeE6jL28uZOBiMUV04Sb0Wq+S8R7s=,iv:9EO/G0+x40oh8okCOLtxfC3RBiGbossYOx3opuu0K7w=,tag:P07TV0CBuec3doo4YDj6vQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.4 diff --git a/k8s/infrastructure/sops/kustomization.yaml b/k8s/infrastructure/sops/kustomization.yaml index b1a4fa1..33a1f18 100644 --- a/k8s/infrastructure/sops/kustomization.yaml +++ b/k8s/infrastructure/sops/kustomization.yaml @@ -3,6 +3,6 @@ kind: Kustomization resources: - cloudflare-api-token-secret.yaml - grafana-admin-secret.yaml - # keycloak-secrets.yaml temporarily disabled - keycloak chart unavailable + - keycloak-secrets.yaml - openldap-admin-secret.yaml - vaultwarden-db-secret.yaml