keycloak: add role and ci pipeline

.github/workflows/pulumi-cloud-resource-keycloak.yml

@@ -0,0 +1,68 @@
+name: setup keycloak 
+
+on:
+  workflow_dispatch:
+    branches: [ 'main' ]
+
+env:
+  DNS_AK: ${{ secrets.DNS_AK }}
+  DNS_SK: ${{ secrets.DNS_SK }}
+  SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
+  SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }}
+  PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_PASS }}
+  PULUMI_DISABLE_CI_DETECTION: true
+  AWS_REGION: ap-east-1
+
+defaults:
+  run:
+    working-directory: ./playbook
+
+jobs:
+  k3s-cluster:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: run playbook
+        shell: bash
+        run: |
+          export ANSIBLE_HOST_KEY_CHECKING=False
+
+          sudo apt install jq ansible -y
+          sudo rm -rvf /home/runner/.pulumi/
+          curl -o setup.sh https://get.pulumi.com && sh setup.sh --version 3.57.0
+
+          pulumi login s3://pulumi-aws-dev
+          pulumi stack select dev
+
+          db_server_public_ip=`pulumi stack output --json | jq '.db_server_public_ip'`
+          k3s_server_public_ip=`pulumi stack output --json | jq '.k3s_server_public_ip'`
+          
+          mkdir -pv ~/.ssh/
+          cat > ~/.ssh/id_rsa << EOF
+          ${SSH_PRIVATE_KEY}
+          EOF
+          sudo chmod 0400 ~/.ssh/id_rsa
+          md5sum ~/.ssh/id_rsa
+          
+          cat > hosts/inventory << EOF
+          [master]
+          k3s-server               ansible_host=$k3s_server_public_ip
+          
+          [node]
+          db-server                ansible_host=$db_server_public_ip
+          
+          [all:vars]
+          ansible_port=22
+          ansible_ssh_user=ubuntu
+          ansible_ssh_private_key_file=~/.ssh/id_rsa
+          ansible_host_key_checking=False
+          dns_ak=$DNS_AK
+          dns_sk=$DNS_SK
+          keycloak_ui_password=$OIDC_ADMIN_PASSWORD
+          lb_ip=$k3s_server_public_ip
+          EOF
+          ansible-playbook -i hosts/inventory jobs/init_keycloak -D

.github/workflows/pulumi-cloud-resource-postgresql.yml

@@ -0,0 +1,67 @@
+name: setup mysql 
+
+on:
+  workflow_dispatch:
+    branches: [ 'main' ]
+
+env:
+  DNS_AK: ${{ secrets.DNS_AK }}
+  DNS_SK: ${{ secrets.DNS_SK }}
+  SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }}
+  SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }}
+  PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_PASS }}
+  PULUMI_DISABLE_CI_DETECTION: true
+  AWS_REGION: ap-east-1
+
+defaults:
+  run:
+    working-directory: ./playbook
+
+jobs:
+  k3s-cluster:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: run playbook
+        shell: bash
+        run: |
+          export ANSIBLE_HOST_KEY_CHECKING=False
+
+          sudo apt install jq ansible -y
+          sudo rm -rvf /home/runner/.pulumi/
+          curl -o setup.sh https://get.pulumi.com && sh setup.sh --version 3.57.0
+
+          pulumi login s3://pulumi-aws-dev
+          pulumi stack select dev
+
+          db_server_public_ip=`pulumi stack output --json | jq '.db_server_public_ip'`
+          k3s_server_public_ip=`pulumi stack output --json | jq '.k3s_server_public_ip'`
+          
+          mkdir -pv ~/.ssh/
+          cat > ~/.ssh/id_rsa << EOF
+          ${SSH_PRIVATE_KEY}
+          EOF
+          sudo chmod 0400 ~/.ssh/id_rsa
+          md5sum ~/.ssh/id_rsa
+          
+          cat > hosts/inventory << EOF
+          [master]
+          k3s-server               ansible_host=$k3s_server_public_ip
+          
+          [node]
+          db-server                ansible_host=$db_server_public_ip
+          
+          [all:vars]
+          ansible_port=22
+          ansible_ssh_user=ubuntu
+          ansible_ssh_private_key_file=~/.ssh/id_rsa
+          ansible_host_key_checking=False
+          dns_ak=$DNS_AK
+          dns_sk=$DNS_SK
+          lb_ip=$k3s_server_public_ip
+          EOF
+          ansible-playbook -i hosts/inventory jobs/init_postgresql -D

playbook/jobs/init_keycloak

@@ -0,0 +1,13 @@
+- name: setup redis 
+  hosts: all
+  user: root
+  become: yes
+  gather_facts: yes
+  tasks:
+    - include_role:
+        name: keycloak
+      vars:
+        group: master
+        namespace: itsm
+        domain: onwalk.net
+        secret: keycloak-tls

playbook/jobs/init_postgresql

@@ -0,0 +1,10 @@
+- name: set postgresql
+  hosts: all
+  user: root
+  become: yes
+  gather_facts: yes
+  tasks:
+    - include_role:
+        name: postgresql
+      vars:
+        group: master

playbook/roles/keycloak/files/setup-keycloak.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+export keycloak_db_password=$1
+export keycloak_ui_password=$2
+export domain=$3
+export secret=$4
+export namespace=$5
+
+cat > keycloak-vaules.yaml << EOF
+postgresql:
+  enabled: false
+ingress:
+  enabled: true
+  ingressClassName: "nginx"
+  hostname: keycloak.${domain}
+  tls: true
+  extraTls:
+  - hosts:
+      - keycloak.${domain}
+    secretName: $secret
+auth:
+  adminPassword: "$keycloak_ui_password"
+externalDatabase:
+  host: "postgresql.database.svc.cluster.local"
+  port: 5432
+  user: keycloak
+  database: keycloak
+  password: "$keycloak_db_password"
+EOF
+
+helm repo add bitnami https://charts.bitnami.com/bitnami
+helm repo update
+helm upgrade --install keycloak bitnami/keycloak -n $namespace --create-namespace -f keycloak-vaules.yaml

playbook/roles/keycloak/meta/main.yml

@@ -0,0 +1,3 @@
+dependencies:
+  - role: cert-manager
+  - role: postgresql

playbook/roles/keycloak/tasks/main.yml

@@ -0,0 +1,13 @@
+- name: get db password
+  shell: 'kubectl get secret --namespace database postgresql -o jsonpath="{.data.postgres-password}" | base64 -d' 
+  register: command_raw
+  when: inventory_hostname in groups[group][0]
+
+- name: set fact join command
+  set_fact:
+    keycloak_db_password : "{{ command_raw.stdout_lines[0] }}"
+  when: inventory_hostname in groups[group][0]
+
+- name: Setup Keycloak Server
+  script: files/setup-keycloak.sh {{ hostvars[groups[group][0]].keycloak_db_password }} {{ keycloak_ui_password }} {{ domain }} {{ secret }} {{ namespace }} 
+  when: inventory_hostname in groups[group]

playbook/roles/mysql/files/setup-mysql.sh

@@ -1,4 +1,6 @@
-helm repo add bitnami https://charts.bitnami.com/bitnami
+#!/bin/bash
+
+helm repo add bitnami https://charts.bitnami.com/bitnami || echo true
 helm repo up
-kubectl create ns database
+kubectl create ns database || echo true
 helm upgrade --install mysql bitnami/mysql -n database

playbook/roles/postgresql/files/setup-postgresql.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+helm repo add bitnami https://charts.bitnami.com/bitnami || echo true
+helm repo up
+kubectl create ns database || echo true
+helm upgrade --install postgresql bitnami/postgresql -n database

playbook/roles/postgresql/tasks/main.yml

@@ -0,0 +1,3 @@
+- name: Setup PostgreSQL Server
+  script: setup-postgresql.sh  
+  when: inventory_hostname in groups[group]