keycloak: add role and ci pipeline

This commit is contained in:
Haitao Pan 2023-03-24 14:05:39 +08:00
parent 966a7489de
commit e625f63d7b
10 changed files with 220 additions and 2 deletions

View File

@ -0,0 +1,68 @@
name: setup keycloak
on:
workflow_dispatch:
branches: [ 'main' ]
env:
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }}
PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_PASS }}
PULUMI_DISABLE_CI_DETECTION: true
AWS_REGION: ap-east-1
defaults:
run:
working-directory: ./playbook
jobs:
k3s-cluster:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: run playbook
shell: bash
run: |
export ANSIBLE_HOST_KEY_CHECKING=False
sudo apt install jq ansible -y
sudo rm -rvf /home/runner/.pulumi/
curl -o setup.sh https://get.pulumi.com && sh setup.sh --version 3.57.0
pulumi login s3://pulumi-aws-dev
pulumi stack select dev
db_server_public_ip=`pulumi stack output --json | jq '.db_server_public_ip'`
k3s_server_public_ip=`pulumi stack output --json | jq '.k3s_server_public_ip'`
mkdir -pv ~/.ssh/
cat > ~/.ssh/id_rsa << EOF
${SSH_PRIVATE_KEY}
EOF
sudo chmod 0400 ~/.ssh/id_rsa
md5sum ~/.ssh/id_rsa
cat > hosts/inventory << EOF
[master]
k3s-server ansible_host=$k3s_server_public_ip
[node]
db-server ansible_host=$db_server_public_ip
[all:vars]
ansible_port=22
ansible_ssh_user=ubuntu
ansible_ssh_private_key_file=~/.ssh/id_rsa
ansible_host_key_checking=False
dns_ak=$DNS_AK
dns_sk=$DNS_SK
keycloak_ui_password=$OIDC_ADMIN_PASSWORD
lb_ip=$k3s_server_public_ip
EOF
ansible-playbook -i hosts/inventory jobs/init_keycloak -D

View File

@ -0,0 +1,67 @@
name: setup mysql
on:
workflow_dispatch:
branches: [ 'main' ]
env:
DNS_AK: ${{ secrets.DNS_AK }}
DNS_SK: ${{ secrets.DNS_SK }}
SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }}
PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_PASS }}
PULUMI_DISABLE_CI_DETECTION: true
AWS_REGION: ap-east-1
defaults:
run:
working-directory: ./playbook
jobs:
k3s-cluster:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: run playbook
shell: bash
run: |
export ANSIBLE_HOST_KEY_CHECKING=False
sudo apt install jq ansible -y
sudo rm -rvf /home/runner/.pulumi/
curl -o setup.sh https://get.pulumi.com && sh setup.sh --version 3.57.0
pulumi login s3://pulumi-aws-dev
pulumi stack select dev
db_server_public_ip=`pulumi stack output --json | jq '.db_server_public_ip'`
k3s_server_public_ip=`pulumi stack output --json | jq '.k3s_server_public_ip'`
mkdir -pv ~/.ssh/
cat > ~/.ssh/id_rsa << EOF
${SSH_PRIVATE_KEY}
EOF
sudo chmod 0400 ~/.ssh/id_rsa
md5sum ~/.ssh/id_rsa
cat > hosts/inventory << EOF
[master]
k3s-server ansible_host=$k3s_server_public_ip
[node]
db-server ansible_host=$db_server_public_ip
[all:vars]
ansible_port=22
ansible_ssh_user=ubuntu
ansible_ssh_private_key_file=~/.ssh/id_rsa
ansible_host_key_checking=False
dns_ak=$DNS_AK
dns_sk=$DNS_SK
lb_ip=$k3s_server_public_ip
EOF
ansible-playbook -i hosts/inventory jobs/init_postgresql -D

View File

@ -0,0 +1,13 @@
- name: setup redis
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: keycloak
vars:
group: master
namespace: itsm
domain: onwalk.net
secret: keycloak-tls

View File

@ -0,0 +1,10 @@
- name: set postgresql
hosts: all
user: root
become: yes
gather_facts: yes
tasks:
- include_role:
name: postgresql
vars:
group: master

View File

@ -0,0 +1,33 @@
#!/bin/bash
export keycloak_db_password=$1
export keycloak_ui_password=$2
export domain=$3
export secret=$4
export namespace=$5
cat > keycloak-vaules.yaml << EOF
postgresql:
enabled: false
ingress:
enabled: true
ingressClassName: "nginx"
hostname: keycloak.${domain}
tls: true
extraTls:
- hosts:
- keycloak.${domain}
secretName: $secret
auth:
adminPassword: "$keycloak_ui_password"
externalDatabase:
host: "postgresql.database.svc.cluster.local"
port: 5432
user: keycloak
database: keycloak
password: "$keycloak_db_password"
EOF
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
helm upgrade --install keycloak bitnami/keycloak -n $namespace --create-namespace -f keycloak-vaules.yaml

View File

@ -0,0 +1,3 @@
dependencies:
- role: cert-manager
- role: postgresql

View File

@ -0,0 +1,13 @@
- name: get db password
shell: 'kubectl get secret --namespace database postgresql -o jsonpath="{.data.postgres-password}" | base64 -d'
register: command_raw
when: inventory_hostname in groups[group][0]
- name: set fact join command
set_fact:
keycloak_db_password : "{{ command_raw.stdout_lines[0] }}"
when: inventory_hostname in groups[group][0]
- name: Setup Keycloak Server
script: files/setup-keycloak.sh {{ hostvars[groups[group][0]].keycloak_db_password }} {{ keycloak_ui_password }} {{ domain }} {{ secret }} {{ namespace }}
when: inventory_hostname in groups[group]

View File

@ -1,4 +1,6 @@
helm repo add bitnami https://charts.bitnami.com/bitnami
#!/bin/bash
helm repo add bitnami https://charts.bitnami.com/bitnami || echo true
helm repo up
kubectl create ns database
kubectl create ns database || echo true
helm upgrade --install mysql bitnami/mysql -n database

View File

@ -0,0 +1,6 @@
#!/bin/bash
helm repo add bitnami https://charts.bitnami.com/bitnami || echo true
helm repo up
kubectl create ns database || echo true
helm upgrade --install postgresql bitnami/postgresql -n database

View File

@ -0,0 +1,3 @@
- name: Setup PostgreSQL Server
script: setup-postgresql.sh
when: inventory_hostname in groups[group]