diff --git a/.github/workflows/pulumi-cloud-resource-keycloak.yml b/.github/workflows/pulumi-cloud-resource-keycloak.yml new file mode 100644 index 00000000..66262a2c --- /dev/null +++ b/.github/workflows/pulumi-cloud-resource-keycloak.yml @@ -0,0 +1,68 @@ +name: setup keycloak + +on: + workflow_dispatch: + branches: [ 'main' ] + +env: + DNS_AK: ${{ secrets.DNS_AK }} + DNS_SK: ${{ secrets.DNS_SK }} + SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }} + SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }} + PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_PASS }} + PULUMI_DISABLE_CI_DETECTION: true + AWS_REGION: ap-east-1 + +defaults: + run: + working-directory: ./playbook + +jobs: + k3s-cluster: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: run playbook + shell: bash + run: | + export ANSIBLE_HOST_KEY_CHECKING=False + + sudo apt install jq ansible -y + sudo rm -rvf /home/runner/.pulumi/ + curl -o setup.sh https://get.pulumi.com && sh setup.sh --version 3.57.0 + + pulumi login s3://pulumi-aws-dev + pulumi stack select dev + + db_server_public_ip=`pulumi stack output --json | jq '.db_server_public_ip'` + k3s_server_public_ip=`pulumi stack output --json | jq '.k3s_server_public_ip'` + + mkdir -pv ~/.ssh/ + cat > ~/.ssh/id_rsa << EOF + ${SSH_PRIVATE_KEY} + EOF + sudo chmod 0400 ~/.ssh/id_rsa + md5sum ~/.ssh/id_rsa + + cat > hosts/inventory << EOF + [master] + k3s-server ansible_host=$k3s_server_public_ip + + [node] + db-server ansible_host=$db_server_public_ip + + [all:vars] + ansible_port=22 + ansible_ssh_user=ubuntu + ansible_ssh_private_key_file=~/.ssh/id_rsa + ansible_host_key_checking=False + dns_ak=$DNS_AK + dns_sk=$DNS_SK + keycloak_ui_password=$OIDC_ADMIN_PASSWORD + lb_ip=$k3s_server_public_ip + EOF + ansible-playbook -i hosts/inventory jobs/init_keycloak -D diff --git a/.github/workflows/pulumi-cloud-resource-postgresql.yml b/.github/workflows/pulumi-cloud-resource-postgresql.yml new file mode 100644 index 00000000..7d40c143 --- /dev/null +++ b/.github/workflows/pulumi-cloud-resource-postgresql.yml @@ -0,0 +1,67 @@ +name: setup mysql + +on: + workflow_dispatch: + branches: [ 'main' ] + +env: + DNS_AK: ${{ secrets.DNS_AK }} + DNS_SK: ${{ secrets.DNS_SK }} + SSH_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }} + SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_KEY }} + PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_PASS }} + PULUMI_DISABLE_CI_DETECTION: true + AWS_REGION: ap-east-1 + +defaults: + run: + working-directory: ./playbook + +jobs: + k3s-cluster: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: run playbook + shell: bash + run: | + export ANSIBLE_HOST_KEY_CHECKING=False + + sudo apt install jq ansible -y + sudo rm -rvf /home/runner/.pulumi/ + curl -o setup.sh https://get.pulumi.com && sh setup.sh --version 3.57.0 + + pulumi login s3://pulumi-aws-dev + pulumi stack select dev + + db_server_public_ip=`pulumi stack output --json | jq '.db_server_public_ip'` + k3s_server_public_ip=`pulumi stack output --json | jq '.k3s_server_public_ip'` + + mkdir -pv ~/.ssh/ + cat > ~/.ssh/id_rsa << EOF + ${SSH_PRIVATE_KEY} + EOF + sudo chmod 0400 ~/.ssh/id_rsa + md5sum ~/.ssh/id_rsa + + cat > hosts/inventory << EOF + [master] + k3s-server ansible_host=$k3s_server_public_ip + + [node] + db-server ansible_host=$db_server_public_ip + + [all:vars] + ansible_port=22 + ansible_ssh_user=ubuntu + ansible_ssh_private_key_file=~/.ssh/id_rsa + ansible_host_key_checking=False + dns_ak=$DNS_AK + dns_sk=$DNS_SK + lb_ip=$k3s_server_public_ip + EOF + ansible-playbook -i hosts/inventory jobs/init_postgresql -D diff --git a/playbook/jobs/init_keycloak b/playbook/jobs/init_keycloak new file mode 100644 index 00000000..2b53edc3 --- /dev/null +++ b/playbook/jobs/init_keycloak @@ -0,0 +1,13 @@ +- name: setup redis + hosts: all + user: root + become: yes + gather_facts: yes + tasks: + - include_role: + name: keycloak + vars: + group: master + namespace: itsm + domain: onwalk.net + secret: keycloak-tls diff --git a/playbook/jobs/init_postgresql b/playbook/jobs/init_postgresql new file mode 100644 index 00000000..f380adee --- /dev/null +++ b/playbook/jobs/init_postgresql @@ -0,0 +1,10 @@ +- name: set postgresql + hosts: all + user: root + become: yes + gather_facts: yes + tasks: + - include_role: + name: postgresql + vars: + group: master diff --git a/playbook/roles/keycloak/files/setup-keycloak.sh b/playbook/roles/keycloak/files/setup-keycloak.sh new file mode 100644 index 00000000..458cecf5 --- /dev/null +++ b/playbook/roles/keycloak/files/setup-keycloak.sh @@ -0,0 +1,33 @@ +#!/bin/bash + +export keycloak_db_password=$1 +export keycloak_ui_password=$2 +export domain=$3 +export secret=$4 +export namespace=$5 + +cat > keycloak-vaules.yaml << EOF +postgresql: + enabled: false +ingress: + enabled: true + ingressClassName: "nginx" + hostname: keycloak.${domain} + tls: true + extraTls: + - hosts: + - keycloak.${domain} + secretName: $secret +auth: + adminPassword: "$keycloak_ui_password" +externalDatabase: + host: "postgresql.database.svc.cluster.local" + port: 5432 + user: keycloak + database: keycloak + password: "$keycloak_db_password" +EOF + +helm repo add bitnami https://charts.bitnami.com/bitnami +helm repo update +helm upgrade --install keycloak bitnami/keycloak -n $namespace --create-namespace -f keycloak-vaules.yaml diff --git a/playbook/roles/keycloak/meta/main.yml b/playbook/roles/keycloak/meta/main.yml new file mode 100644 index 00000000..b49ac175 --- /dev/null +++ b/playbook/roles/keycloak/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: + - role: cert-manager + - role: postgresql diff --git a/playbook/roles/keycloak/tasks/main.yml b/playbook/roles/keycloak/tasks/main.yml new file mode 100755 index 00000000..e0084352 --- /dev/null +++ b/playbook/roles/keycloak/tasks/main.yml @@ -0,0 +1,13 @@ +- name: get db password + shell: 'kubectl get secret --namespace database postgresql -o jsonpath="{.data.postgres-password}" | base64 -d' + register: command_raw + when: inventory_hostname in groups[group][0] + +- name: set fact join command + set_fact: + keycloak_db_password : "{{ command_raw.stdout_lines[0] }}" + when: inventory_hostname in groups[group][0] + +- name: Setup Keycloak Server + script: files/setup-keycloak.sh {{ hostvars[groups[group][0]].keycloak_db_password }} {{ keycloak_ui_password }} {{ domain }} {{ secret }} {{ namespace }} + when: inventory_hostname in groups[group] diff --git a/playbook/roles/mysql/files/setup-mysql.sh b/playbook/roles/mysql/files/setup-mysql.sh index 9c5abc15..563a99eb 100644 --- a/playbook/roles/mysql/files/setup-mysql.sh +++ b/playbook/roles/mysql/files/setup-mysql.sh @@ -1,4 +1,6 @@ -helm repo add bitnami https://charts.bitnami.com/bitnami +#!/bin/bash + +helm repo add bitnami https://charts.bitnami.com/bitnami || echo true helm repo up -kubectl create ns database +kubectl create ns database || echo true helm upgrade --install mysql bitnami/mysql -n database diff --git a/playbook/roles/postgresql/files/setup-postgresql.sh b/playbook/roles/postgresql/files/setup-postgresql.sh new file mode 100644 index 00000000..e3cc3234 --- /dev/null +++ b/playbook/roles/postgresql/files/setup-postgresql.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +helm repo add bitnami https://charts.bitnami.com/bitnami || echo true +helm repo up +kubectl create ns database || echo true +helm upgrade --install postgresql bitnami/postgresql -n database diff --git a/playbook/roles/postgresql/tasks/main.yml b/playbook/roles/postgresql/tasks/main.yml new file mode 100755 index 00000000..45ed79a4 --- /dev/null +++ b/playbook/roles/postgresql/tasks/main.yml @@ -0,0 +1,3 @@ +- name: Setup PostgreSQL Server + script: setup-postgresql.sh + when: inventory_hostname in groups[group]