From 2ffb5ec5d5b555039b95f7d0f9487e972d139d74 Mon Sep 17 00:00:00 2001 From: Petr Gurin Date: Wed, 18 Dec 2024 15:17:49 +0300 Subject: [PATCH] =?UTF-8?q?=D0=9F=D0=B5=D1=80=D0=B2=D0=B8=D1=87=D0=BD?= =?UTF-8?q?=D0=B0=D1=8F=20=D0=BD=D0=B0=D1=81=D1=82=D1=80=D0=BE=D0=B9=D0=BA?= =?UTF-8?q?=D0=B0,=20=D0=B4=D0=B5=D0=BF=D0=BB=D0=BE=D0=B9=20KeyCloak?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .drone.yml | 104 +++++++++++++++ build/docker-compose-local.yml | 41 ++++++ deploy/helm/.helmignore | 23 ++++ deploy/helm/Chart.yaml | 5 + deploy/helm/keycloak-dev-values.yaml | 80 ++++++++++++ deploy/helm/templates/deployment.yaml | 108 ++++++++++++++++ deploy/helm/templates/ingress.yaml | 35 +++++ deploy/helm/templates/secret.yaml | 25 ++++ deploy/helm/templates/service.yaml | 12 ++ deploy/k8s-keycloak.yml.old | 179 ++++++++++++++++++++++++++ 10 files changed, 612 insertions(+) create mode 100644 .drone.yml create mode 100644 build/docker-compose-local.yml create mode 100644 deploy/helm/.helmignore create mode 100644 deploy/helm/Chart.yaml create mode 100644 deploy/helm/keycloak-dev-values.yaml create mode 100644 deploy/helm/templates/deployment.yaml create mode 100644 deploy/helm/templates/ingress.yaml create mode 100644 deploy/helm/templates/secret.yaml create mode 100644 deploy/helm/templates/service.yaml create mode 100644 deploy/k8s-keycloak.yml.old diff --git a/.drone.yml b/.drone.yml new file mode 100644 index 0000000..cc24e5c --- /dev/null +++ b/.drone.yml @@ -0,0 +1,104 @@ +kind: pipeline +name: default +type: docker + +steps: + + - name: create-helm-template + image: alpine/helm:3.12.3 + commands: + - helm template keycloak-dev ./deploy/helm --namespace keycloak-dev --values ./deploy/helm/keycloak-dev-values.yaml > ./deploy/helm/k8s-keycloak-dev.yaml + when: + branch: + - master + + - name: deploy + image: ghcr.io/bh90210/dron8s:latest + settings: + yaml: ./deploy/helm/k8s-keycloak-dev.yaml + kubeconfig: + from_secret: kubeconfig + depends_on: + - create-helm-template + when: + branch: + - master + + - name: notify-deploy-success + image: appleboy/drone-telegram + settings: + token: + from_secret: telegram_bot_token + to: + from_secret: telegram_chat_id + message: | + 🚀 Деплой успешно отправлен! + Сборка #{{build.number}} + Репозиторий: {{repo.name}} + Ветка: {{commit.branch}} + when: + status: [ success ] + depends_on: + - deploy + + - name: notify-deploy-failure + image: appleboy/drone-telegram + settings: + token: + from_secret: telegram_bot_token + to: + from_secret: telegram_chat_id + message: | + ❌ Деплой не отправлен! + Сборка #{{build.number}} + Репозиторий: {{repo.name}} + Ветка: {{commit.branch}} + when: + status: [ failure ] + depends_on: + - deploy + + - name: notify-build-status + image: appleboy/drone-telegram + settings: + token: + from_secret: telegram_bot_token + to: + from_secret: telegram_chat_id + message: | + {{#eq build.status "success"}}📣 Сборка #{{build.number}} завершилась со статусом: {{build.status}}!{{/eq}} + {{#eq build.status "failure"}}🧱 Сборка #{{build.number}} завершилась со статусом: {{build.status}}!{{/eq}} + Репозиторий: {{repo.name}} + Ветка: {{commit.branch}} + Автор: {{commit.author}} + Сообщение: {{commit.message}} + Подробнее: [Ссылка на сборку]({{build.link}}) + when: + status: [ success, failure ] + depends_on: + - notify-deploy-success + - notify-deploy-failure + +image_pull_secrets: + - dockerconfig + +node: + node: 149.154.64.5 + +trigger: + event: + include: + - push + - tag + - pull_request + - rollback + +volumes: + - name: out + temp: {} + - name: dockersock + host: + path: /var/run/docker.sock + - name: cache + host: + path: /tmp/.buildx-cache diff --git a/build/docker-compose-local.yml b/build/docker-compose-local.yml new file mode 100644 index 0000000..ad323e8 --- /dev/null +++ b/build/docker-compose-local.yml @@ -0,0 +1,41 @@ +version: "3.8" + +services: + postgres_keycloak: + container_name: postgres_keycloak + image: postgres:14 + environment: + KEYCLOAK_DB_HOST: localhost + POSTGRES_USER: ${POSTGRES_USER:-postgres} + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres} + POSTGRES_DB: keycloak_db + healthcheck: + test: "exit 0" + ports: + - "5433:5432" + volumes: + - ./pgdata_keycloak:/var/lib/postgresql/data + restart: unless-stopped + + keycloak: + image: quay.io/keycloak/keycloak:legacy + container_name: keycloak + environment: + TZ: Europe/Moscow + DB_VENDOR: POSTGRES + DB_ADDR: postgres_keycloak + DB_DATABASE: keycloak_db + DB_USER: ${POSTGRES_USER:-postgres} + DB_PASSWORD: ${POSTGRES_PASSWORD:-postgres} + KEYCLOAK_USER: admin + KEYCLOAK_PASSWORD: admin_password + KEYCLOAK_PORT: 8080 + KEYCLOAK_HOST: localhost + restart: unless-stopped + healthcheck: + test: "exit 0" + ports: + - "8484:8080" + depends_on: + postgres_keycloak: + condition: service_healthy diff --git a/deploy/helm/.helmignore b/deploy/helm/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/deploy/helm/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/deploy/helm/Chart.yaml b/deploy/helm/Chart.yaml new file mode 100644 index 0000000..0d2ea5d --- /dev/null +++ b/deploy/helm/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +appVersion: "1.0" +description: A Helm chart for Kubernetes +name: keycloak +version: 0.1.0 diff --git a/deploy/helm/keycloak-dev-values.yaml b/deploy/helm/keycloak-dev-values.yaml new file mode 100644 index 0000000..dbb521f --- /dev/null +++ b/deploy/helm/keycloak-dev-values.yaml @@ -0,0 +1,80 @@ + +namespace: keycloak-dev + +image: + repository: quay.io/keycloak/keycloak + tag: legacy + pullPolicy: Always + +service: + type: ClusterIP + port: 8080 + targetPort: 8080 + +replicaCount: 1 + +ingress: + enabled: true + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: "51m" + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt-prod + cert-manager.io/issue-temporary-certificate: "true" + acme.cert-manager.io/http01-edit-in-place: "true" + ingress.kubernetes.io/ssl-redirect: "true" + tlsEnabled: true # New parameter to control TLS + hosts: + - host: sso.dev.essocode.ru + paths: + - path: / + pathType: ImplementationSpecific + tls: + - secretName: keycloak-tls + hosts: + - sso.dev.essocode.ru + +secret: + enabled: true + name: keycloak-back-cred + data: + KEYCLOAK_FRONTEND_URL: aHR0cHM6Ly9zc28uZGV2LmVzc29jb2RlLnJ1L2F1dGg= + TZ: RXVyb3BlL01vc2Nvdw== + DB_VENDOR: UE9TVEdSRVM= + DB_ADDR: MjE3Ljc5LjIyLjQ2 + DB_PORT: NTQzMg== + DB_DATABASE: a2V5Y2xvYWtfZGI= + DB_USER: cm9vdA== + DB_PASSWORD: cm9vdA== + KEYCLOAK_USER: YWRtaW4= + KEYCLOAK_PASSWORD: YWRtaW5fcGFzc3dvcmQ= + KEYCLOAK_PORT: ODA4MA== + KEYCLOAK_HOST: bG9jYWxob3N0 + KC_HOSTNAME: c3NvLmRldi5lc3NvY29kZS5ydQ== + KC_HOSTNAME_ADMIN_URL: aHR0cHM6Ly9zc28uZGV2LmVzc29jb2RlLnJ1L2F1dGgvYWRtaW4= + KC_HOSTNAME_URL: aHR0cHM6Ly9zc28uZGV2LmVzc29jb2RlLnJ1L2F1dGg= + KC_PROXY: ZWRnZQ== + +env: + TZ: TZ + DB_VENDOR: DB_VENDOR + DB_ADDR: DB_ADDR + DB_PORT: DB_PORT + DB_DATABASE: DB_DATABASE + DB_USER: DB_USER + DB_PASSWORD: DB_PASSWORD + KEYCLOAK_USER: KEYCLOAK_USER + KEYCLOAK_PASSWORD: KEYCLOAK_PASSWORD + KEYCLOAK_PORT: KEYCLOAK_PORT + KEYCLOAK_HOST: KEYCLOAK_HOST + KEYCLOAK_FRONTEND_URL: KEYCLOAK_FRONTEND_URL + KC_HOSTNAME: KC_HOSTNAME + KC_HOSTNAME_URL: KC_HOSTNAME_URL + KC_HOSTNAME_ADMIN_URL: KC_HOSTNAME_ADMIN_URL + KC_PROXY: KC_PROXY + +appName: keycloak + +imagePullSecrets: + - registrypullsecret + +resources: {} diff --git a/deploy/helm/templates/deployment.yaml b/deploy/helm/templates/deployment.yaml new file mode 100644 index 0000000..f5071e4 --- /dev/null +++ b/deploy/helm/templates/deployment.yaml @@ -0,0 +1,108 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.appName }}-deployment + namespace: {{ .Values.namespace }} + labels: + app: {{ .Values.appName }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ .Values.appName }} + template: + metadata: + labels: + app: {{ .Values.appName }} + spec: + containers: + - name: {{ .Values.appName }}-dev + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + ports: + - containerPort: {{ .Values.service.port }} + env: + - name: TZ + valueFrom: + secretKeyRef: + name: {{ .Values.secret.name }} + key: {{ .Values.env.TZ }} + - name: DB_VENDOR + valueFrom: + secretKeyRef: + name: {{ .Values.secret.name }} + key: {{ .Values.env.DB_VENDOR }} + - name: DB_ADDR + valueFrom: + secretKeyRef: + name: {{ .Values.secret.name }} + key: {{ .Values.env.DB_ADDR }} + - name: DB_PORT + valueFrom: + secretKeyRef: + name: {{ .Values.secret.name }} + key: {{ .Values.env.DB_PORT }} + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: {{ .Values.secret.name }} + key: {{ .Values.env.DB_DATABASE }} + - name: DB_USER + valueFrom: + secretKeyRef: + name: {{ .Values.secret.name }} + key: {{ .Values.env.DB_USER }} + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secret.name }} + key: {{ .Values.env.DB_PASSWORD }} + - name: KEYCLOAK_USER + valueFrom: + secretKeyRef: + name: {{ .Values.secret.name }} + key: {{ .Values.env.KEYCLOAK_USER }} + - name: KEYCLOAK_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secret.name }} + key: {{ .Values.env.KEYCLOAK_PASSWORD }} + - name: KEYCLOAK_PORT + valueFrom: + secretKeyRef: + name: {{ .Values.secret.name }} + key: {{ .Values.env.KEYCLOAK_PORT }} + - name: KEYCLOAK_HOST + valueFrom: + secretKeyRef: + name: {{ .Values.secret.name }} + key: {{ .Values.env.KEYCLOAK_HOST }} + - name: KEYCLOAK_FRONTEND_URL + valueFrom: + secretKeyRef: + name: {{ .Values.secret.name }} + key: {{ .Values.env.KEYCLOAK_FRONTEND_URL }} + - name: KC_HOSTNAME + valueFrom: + secretKeyRef: + name: {{ .Values.secret.name }} + key: {{ .Values.env.KC_HOSTNAME }} + - name: KC_HOSTNAME_URL + valueFrom: + secretKeyRef: + name: {{ .Values.secret.name }} + key: {{ .Values.env.KC_HOSTNAME_URL }} + - name: KC_HOSTNAME_ADMIN_URL + valueFrom: + secretKeyRef: + name: {{ .Values.secret.name }} + key: {{ .Values.env.KC_HOSTNAME_ADMIN_URL }} + - name: KC_PROXY + valueFrom: + secretKeyRef: + name: {{ .Values.secret.name }} + key: {{ .Values.env.KC_PROXY }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end }} diff --git a/deploy/helm/templates/ingress.yaml b/deploy/helm/templates/ingress.yaml new file mode 100644 index 0000000..8b8d3b4 --- /dev/null +++ b/deploy/helm/templates/ingress.yaml @@ -0,0 +1,35 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .Values.appName }}-ingress + namespace: {{ .Values.namespace }} + annotations: + {{- toYaml .Values.ingress.annotations | nindent 4 }} +spec: + ingressClassName: nginx + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ $.Values.appName }}-service + port: + number: {{ $.Values.service.port }} + {{- end }} + {{- end }} + + {{- if .Values.ingress.tlsEnabled }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} diff --git a/deploy/helm/templates/secret.yaml b/deploy/helm/templates/secret.yaml new file mode 100644 index 0000000..6c698ae --- /dev/null +++ b/deploy/helm/templates/secret.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ .Values.secret.name }} + namespace: {{ .Values.namespace }} +data: + TZ: {{ .Values.secret.data.TZ }} + DB_VENDOR: {{ .Values.secret.data.DB_VENDOR }} + DB_ADDR: {{ .Values.secret.data.DB_ADDR }} + DB_PORT: {{ .Values.secret.data.DB_PORT }} + DB_DATABASE: {{ .Values.secret.data.DB_DATABASE }} + DB_USER: {{ .Values.secret.data.DB_USER }} + DB_PASSWORD: {{ .Values.secret.data.DB_PASSWORD }} + KEYCLOAK_USER: {{ .Values.secret.data.KEYCLOAK_USER }} + KEYCLOAK_PASSWORD: {{ .Values.secret.data.KEYCLOAK_PASSWORD }} + KEYCLOAK_PORT: {{ .Values.secret.data.KEYCLOAK_PORT }} + KEYCLOAK_HOST: {{ .Values.secret.data.KEYCLOAK_HOST }} + KEYCLOAK_FRONTEND_URL: {{ .Values.secret.data.KEYCLOAK_FRONTEND_URL }} + KC_HOSTNAME: {{ .Values.secret.data.KC_HOSTNAME }} + KC_HOSTNAME_URL: {{ .Values.secret.data.KC_HOSTNAME_URL }} + KC_HOSTNAME_ADMIN_URL: {{ .Values.secret.data.KC_HOSTNAME_ADMIN_URL }} + KC_PROXY: {{ .Values.secret.data.KC_PROXY }} + + diff --git a/deploy/helm/templates/service.yaml b/deploy/helm/templates/service.yaml new file mode 100644 index 0000000..8e580f1 --- /dev/null +++ b/deploy/helm/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.appName }}-service + namespace: {{ .Values.namespace }} +spec: + selector: + app: {{ .Values.appName }} + ports: + - name: http + port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} diff --git a/deploy/k8s-keycloak.yml.old b/deploy/k8s-keycloak.yml.old new file mode 100644 index 0000000..81f73a9 --- /dev/null +++ b/deploy/k8s-keycloak.yml.old @@ -0,0 +1,179 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: keycloak-dev + +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: keycloak-back-cred + namespace: keycloak-dev +data: + KEYCLOAK_FRONTEND_URL: aHR0cHM6Ly9zc28uZGV2LmVzc29jb2RlLnJ1L2F1dGg= + TZ: RXVyb3BlL01vc2Nvdw== + DB_VENDOR: UE9TVEdSRVM= + DB_ADDR: MjE3Ljc5LjIyLjQ2 + DB_PORT: NTQzMg== + DB_DATABASE: a2V5Y2xvYWtfZGI= + DB_USER: cm9vdA== + DB_PASSWORD: cm9vdA== + KEYCLOAK_USER: YWRtaW4= + KEYCLOAK_PASSWORD: YWRtaW5fcGFzc3dvcmQ= + KEYCLOAK_PORT: ODA4MA== + KEYCLOAK_HOST: bG9jYWxob3N0 + KC_HOSTNAME: c3NvLmRldi5lc3NvY29kZS5ydQ== + KC_HOSTNAME_ADMIN_URL: aHR0cHM6Ly9zc28uZGV2LmVzc29jb2RlLnJ1L2F1dGgvYWRtaW4= + KC_HOSTNAME_URL: aHR0cHM6Ly9zc28uZGV2LmVzc29jb2RlLnJ1L2F1dGg= + KC_PROXY: ZWRnZQ== + +--- + +apiVersion: v1 +kind: Service +metadata: + name: keycloak + namespace: keycloak-dev +spec: + ports: + - port: 8080 + targetPort: 8080 + selector: + app: keycloak + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: keycloak + namespace: keycloak-dev +spec: + replicas: 1 + selector: + matchLabels: + app: keycloak + template: + metadata: + labels: + app: keycloak + spec: + containers: + - name: keycloak + image: quay.io/keycloak/keycloak:legacy + ports: + - containerPort: 8080 + env: + - name: TZ + valueFrom: + secretKeyRef: + name: keycloak-back-cred + key: TZ + - name: DB_VENDOR + valueFrom: + secretKeyRef: + name: keycloak-back-cred + key: DB_VENDOR + - name: DB_ADDR + valueFrom: + secretKeyRef: + name: keycloak-back-cred + key: DB_ADDR + - name: DB_PORT + valueFrom: + secretKeyRef: + name: keycloak-back-cred + key: DB_PORT + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: keycloak-back-cred + key: DB_DATABASE + - name: DB_USER + valueFrom: + secretKeyRef: + name: keycloak-back-cred + key: DB_USER + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: keycloak-back-cred + key: DB_PASSWORD + - name: KEYCLOAK_USER + valueFrom: + secretKeyRef: + name: keycloak-back-cred + key: KEYCLOAK_USER + - name: KEYCLOAK_PASSWORD + valueFrom: + secretKeyRef: + name: keycloak-back-cred + key: KEYCLOAK_PASSWORD + - name: KEYCLOAK_PORT + valueFrom: + secretKeyRef: + name: keycloak-back-cred + key: KEYCLOAK_PORT + - name: KEYCLOAK_HOST + valueFrom: + secretKeyRef: + name: keycloak-back-cred + key: KEYCLOAK_HOST + - name: KEYCLOAK_FRONTEND_URL + valueFrom: + secretKeyRef: + name: keycloak-back-cred + key: KEYCLOAK_FRONTEND_URL + - name: KC_HOSTNAME + valueFrom: + secretKeyRef: + key: KC_HOSTNAME + name: keycloak-back-cred + - name: KC_HOSTNAME_URL + valueFrom: + secretKeyRef: + key: KC_HOSTNAME_URL + name: keycloak-back-cred + - name: KC_HOSTNAME_ADMIN_URL + valueFrom: + secretKeyRef: + key: KC_HOSTNAME_ADMIN_URL + name: keycloak-back-cred + - name: KC_PROXY + valueFrom: + secretKeyRef: + key: KC_PROXY + name: keycloak-back-cred + imagePullPolicy: IfNotPresent + +--- + +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: keycloak-ingress + namespace: keycloak-dev + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt-prod + cert-manager.io/issue-temporary-certificate: "true" + acme.cert-manager.io/http01-edit-in-place: "true" + ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/additional-headers: Content-Security-Policy +spec: + rules: + - host: sso.dev.essocode.ru + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: keycloak + port: + number: 8080 + tls: + - hosts: + - sso.dev.essocode.ru + secretName: keycloak-tls -- 2.40.1