Update k8s manifests

2026-03-10 14:45:17 +08:00 · 2026-03-10 14:45:17 +08:00 · 231ad99b78
commit 231ad99b78
parent 55dafe28df
5 changed files with 55 additions and 61 deletions
--- a/k8s/infrastructure/helmrepositories.yaml
+++ b/k8s/infrastructure/helmrepositories.yaml
@ -62,3 +62,12 @@ metadata:
 spec:
  interval: 1h
  url: https://guerzon.github.io/vaultwarden
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: codecentric
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://codecentric.github.io/helm-charts
--- a/k8s/infrastructure/keycloak/helmrelease.yaml
+++ b/k8s/infrastructure/keycloak/helmrelease.yaml
@ -14,35 +14,47 @@ spec:
  timeout: 10m
  chart:
    spec:
-      chart: keycloak
-      version: "24.0.x"
+      chart: keycloakx
+      version: "7.1.x"
      sourceRef:
        kind: HelmRepository
-        name: bitnami
+        name: codecentric
        namespace: flux-system
  values:
-    global:
-      imageRegistry: ""
    image:
-      registry: registry.hub.docker.com
-      repository: bitnami/keycloak
-      pullPolicy: Always
-    replicaCount: 1
-    auth:
-      existingSecret: keycloak-admin-secret
-    postgresql:
-      enabled: false
-    externalDatabase:
-      host: pgbouncer.default.svc.cluster.local
+      repository: quay.io/keycloak/keycloak
+      tag: "26.5.5"
+    command:
+      - "/opt/keycloak/bin/kc.sh"
+    args:
+      - "start"
+      - "--hostname-strict=false"
+      - "--http-enabled=true"
+      - "--proxy-headers=xforwarded"
+    database:
+      vendor: postgres
+      hostname: pgbouncer.default.svc.cluster.local
      port: 6432
      database: keycloak
-      existingSecret: keycloak-db-secret
+      username: keycloak
+      existingSecret: keycloak-secrets
+      existingSecretKey: db-password
+    http:
+      relativePath: "/"
+    extraEnvFrom: |
+      - secretRef:
+          name: keycloak-secrets
    ingress:
      enabled: true
+      ingressClassName: ""
      annotations:
        cert-manager.io/cluster-issuer: "n0ball-tw-issuer"
-      hostname: keycloak.n0ball.tw
-      tls: true
-    extraEnvVars:
-      - name: KC_PROXY
-        value: edge
+      rules:
+        - host: keycloak.n0ball.tw
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - hosts:
+            - keycloak.n0ball.tw
+          secretName: keycloak-tls
--- a/k8s/infrastructure/kustomization.yaml
+++ b/k8s/infrastructure/kustomization.yaml
@ -8,4 +8,4 @@ resources:
  - cert-manager/helmrelease.yaml
  - observability
  - openldap/helmrelease.yaml
-  # keycloak temporarily disabled - bitnami images removed from Docker Hub
+  - keycloak/helmrelease.yaml
--- a/k8s/infrastructure/sops/keycloak-secrets.yaml
+++ b/k8s/infrastructure/sops/keycloak-secrets.yaml
@ -1,10 +1,12 @@
 apiVersion: v1
 kind: Secret
 metadata:
-    name: keycloak-admin-secret
+    name: keycloak-secrets
    namespace: keycloak
 stringData:
-    admin-password: ENC[AES256_GCM,data:+7omuVTQ4qU9uCZEujGcoSG/h+y0WgNhNw1esbMdhI0=,iv:k3sWbvscqkjnYnAi7DOxlKbJFR5h03VxH3OFA3UfvX8=,tag:iniKOfnUXn9ypYQtjXIoJw==,type:str]
+    KEYCLOAK_ADMIN: ENC[AES256_GCM,data:o5mNx7o=,iv:soEzNScj2yrfm/2kNjVZkdLpoJ2o3WRvo3xU7uJDSoM=,tag:JU4QjCzbGQGDMXdw4CHScA==,type:str]
+    KEYCLOAK_ADMIN_PASSWORD: ENC[AES256_GCM,data:a7L0xjS/VJ9m4j734bYefeStDtpjWgPOywtpKHZE3tA=,iv:iwbPwrYzOCsTe5NImNgEm4pyqwFNDE39ohE7GmaTYVo=,tag:IUucbe8pdaCAzlMViVaJdA==,type:str]
+    db-password: ENC[AES256_GCM,data:p8P9v+NFdSEO26eiOqhoY4w3Rrk1w0rC0U6xz/rv1UB9g+BwOLeGVtD7Qg==,iv:IXbRV5pV2psDHzRbJh1ce/+SMev2WPHe+704+GjsjpY=,tag:MKSdpDjt378Z+xZQVykE8g==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -14,43 +16,14 @@ sops:
        - recipient: age1y5rw08wm2s2hemapzf43c0l4xass7fhc55qh3n4cxtuxzrj8q3cqtydy7m
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXYXpsUWx6YmlqR1B4djJo
-            Tm9XcjQ4VmU4TU9heUpHU3lkSk1ESTY1cEFrClRPeWtaUFdxOHlrYUxmdVo5UVNV
-            WkNXaE5XbThjU1ZwZ1VqNDF1MnFNdDQKLS0tIEFvYkQyemZZaEsvMmJaYkJMTTVK
-            cklsUElqZ05DN290T2h5dlZTbjFvM1EKCxexgWQdHMAEHxoZaTvLcYZev0llmPwq
-            GsFTPX9yb2HvIP5WVg16Pe2snhyObUwK86yh9ELkH+646gFnEfNFtg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdWpnTjIzMk9OYkhCY0xN
+            SkxqZE0vRmFwQ1RHenFxWlFNenpGUllUUlJFCm1ZWnY3NlZKY01DY2Z0c1N2aDgx
+            Tkx2QnNBcXM1ajFWQUlmSWIwVHRYNW8KLS0tIEVYQi9zV3JkT2xLQXRZeTlJVHhG
+            TnQxd1hkR3Jva3BhSWZSaU85UlZCakUKoqHAYMdFkntk/8C3Kt4x1CoJ0NtPdvv1
+            6NR0YFmmg2+426Bh54+s0QN8wPgszNKmI8wWc6T3CcU6n2why58kQw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-10T05:17:08Z"
-    mac: ENC[AES256_GCM,data:JUnkiyPDixjze1A/xe2n9JntotPStrSiq9gjJLs0tT90QMtGCbo63FE8tNUHtRt7tAasDdc7fC0iKUoo1ZRhmZErVr0VxUOk7WTBUedi35W577XRw4hfjF1UiSI5ZGJatZh3LAtBpmOfyeLMYL+tG6NlgVj6ekKD6gubQXQ0REQ=,iv:1nUt5xPpXS0Fqn31LYpeILpB+2TUd0UElvZh+OIGcBg=,tag:hyAIjSFwgiQmXZDP9zn7BA==,type:str]
-    pgp: []
-    encrypted_regex: ^(data|stringData)$
-    version: 3.9.4
---
-apiVersion: v1
-kind: Secret
-metadata:
-    name: keycloak-db-secret
-    namespace: keycloak
-stringData:
-    password: ENC[AES256_GCM,data:odKIDsYeo1Q/mSHfAK3AUJxUZD91nouEx6ox7wIbfKka+7+Q4gJDGryGzg==,iv:v2havxWV5OA9iab3sPe0wvdLw18BaUl5vaV1+IBnEE0=,tag:Lh4VZ2mEPozA0VZico5SYA==,type:str]
-    db-password: ENC[AES256_GCM,data:WqDfJASxz7/Oyz31L4xBj4mQvNczN6Pdd9s0FobjWilGz8L49uZkZtEChg==,iv:CgeiQ14EP2LYjMvJwZDi3b7pHgVn58tgpcbec2kqxAY=,tag:cRJV9KzWjkLzcqzVsXrmcQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1y5rw08wm2s2hemapzf43c0l4xass7fhc55qh3n4cxtuxzrj8q3cqtydy7m
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXYXpsUWx6YmlqR1B4djJo
-            Tm9XcjQ4VmU4TU9heUpHU3lkSk1ESTY1cEFrClRPeWtaUFdxOHlrYUxmdVo5UVNV
-            WkNXaE5XbThjU1ZwZ1VqNDF1MnFNdDQKLS0tIEFvYkQyemZZaEsvMmJaYkJMTTVK
-            cklsUElqZ05DN290T2h5dlZTbjFvM1EKCxexgWQdHMAEHxoZaTvLcYZev0llmPwq
-            GsFTPX9yb2HvIP5WVg16Pe2snhyObUwK86yh9ELkH+646gFnEfNFtg==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-10T05:17:08Z"
-    mac: ENC[AES256_GCM,data:JUnkiyPDixjze1A/xe2n9JntotPStrSiq9gjJLs0tT90QMtGCbo63FE8tNUHtRt7tAasDdc7fC0iKUoo1ZRhmZErVr0VxUOk7WTBUedi35W577XRw4hfjF1UiSI5ZGJatZh3LAtBpmOfyeLMYL+tG6NlgVj6ekKD6gubQXQ0REQ=,iv:1nUt5xPpXS0Fqn31LYpeILpB+2TUd0UElvZh+OIGcBg=,tag:hyAIjSFwgiQmXZDP9zn7BA==,type:str]
+    lastmodified: "2026-03-10T06:43:24Z"
+    mac: ENC[AES256_GCM,data:g0Dg0oUsqt9np2ijA0eskVN9ijbfQMEkTI6wZUS5hqXMzImyJIbsmvM4/C5puns9gKNa56Xz4RzBTk1GMVqjwOSBcm5+SFEwpTfxOT8BWw3qAMcAJJoohqVA3whRErJSjmuvXeGnLYvK4mHeE6jL28uZOBiMUV04Sb0Wq+S8R7s=,iv:9EO/G0+x40oh8okCOLtxfC3RBiGbossYOx3opuu0K7w=,tag:P07TV0CBuec3doo4YDj6vQ==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.9.4
--- a/k8s/infrastructure/sops/kustomization.yaml
+++ b/k8s/infrastructure/sops/kustomization.yaml
@ -3,6 +3,6 @@ kind: Kustomization
 resources:
  - cloudflare-api-token-secret.yaml
  - grafana-admin-secret.yaml
-  # keycloak-secrets.yaml temporarily disabled - keycloak chart unavailable
+  - keycloak-secrets.yaml
  - openldap-admin-secret.yaml
  - vaultwarden-db-secret.yaml