SC-55: added separate keycloak instance for k8s-RBAC purpose

group_vars/stage_dev/plain.yml

@@ -307,9 +307,6 @@ webdav_jwt_secret: "5646aee6dadc4c19b15f4b65f1e6549f"
 iam_jwt_enabled: true
 iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6"
 
-keycloak_admin_username: "keycloak-admin"
-keycloak_admin_password: "keycloak-admin"
-
 # Note: all dollar signs in the hash need to be doubled for escaping.
 # To create user:password pair, it's possible to use this command:
 # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g

group_vars/stage_devscr/keycloak.yml

@@ -0,0 +1,5 @@
+---
+keycloak_version: 18.0.2-legacy
+keycloak_image: quay.io/keycloak/keycloak
+
+keycloak_server_url: "https://{{ shared_service_keycloak_hostname }}"

group_vars/stage_devscr/plain.yml

@@ -17,6 +17,18 @@ default_plattform_users:
 
 # TODO read configuration with hetzner rest api
 shared_service_network: "10.1.0.0/16"
+shared_service_pg_master_ip: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-postgres-01' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
+shared_service_keycloak_ip: "{{ stage_server_infos
+  | selectattr('name', 'match', stage + '-keycloak-01' )
+  | map(attribute='private_ip')
+  | list
+  | first
+  | default('-') }}"
 shared_service_kube_cpl_01: "{{ stage_server_infos
   | selectattr('name', 'match', stage + '-kube-cpl-01' )
   | map(attribute='private_ip')
@@ -55,6 +67,11 @@ shared_service_kube_node_03: "{{ stage_server_infos
   | default('-') }}"
 
 shared_service_kube_ip: "{{ stage_private_ingress_loadbalancer_ip | default('-') }}"
+shared_service_postgres_01_hostname: "{{ stage }}-postgres-01"
+shared_service_keycloak_hostname: "{{ stage }}-keycloak-01.{{ domain }}"
+# following server does not exist
+# but needs to be set for configuring keycloak realms ... crap
+shared_service_mail_hostname: "{{ stage }}-mail-01.{{ domain }}"
 
 kube_cpl_01_hostname: "{{ stage }}-kube-cpl-01.{{ domain }}"
 kube_cpl_02_hostname: "{{ stage }}-kube-cpl-02.{{ domain }}"
@@ -72,6 +89,10 @@ shared_service_hosts: [
     ip: "127.0.1.1",
     name: "{{ inventory_hostname }}"
   },
+  {
+    ip: "{{ shared_service_pg_master_ip }}",
+    name: "{{ shared_service_postgres_01_hostname }}"
+  },
   {
     ip: "{{ shared_service_kube_cpl_01 }}",
     name: "{{ kube_cpl_01_hostname }}"
@@ -108,6 +129,10 @@ shared_service_hosts: [
     ip: "{{ shared_service_kube_ip }}",
     name: "{{ shared_service_kube_harbor_hostname }}"
   },
+  {
+    ip: "{{ shared_service_keycloak_ip }}",
+    name: "{{ shared_service_keycloak_hostname }}"
+  }
 ]
 
 netgo_msteams_hook_cd: "{{ netgo_msteams_hook_cd_vault }}"

group_vars/stage_prodnso/plain.yml

@@ -307,14 +307,8 @@ webdav_jwt_secret: "5646aee6dadc4c19b15f4b65f1e6549f"
 iam_jwt_enabled: true
 iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6"
 
-keycloak_admin_username: "keycloak-admin"
 keycloak_admin_password: "{{ keycloak_admin_password_vault }}"
 
-# Note: all dollar signs in the hash need to be doubled for escaping.
-# To create user:password pair, it's possible to use this command:
-# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
-# TODO should be part of the automation (htpasswd -nb traefik-admin traefik-admin)
-traefik_admin_username: "traefik-admin"
 traefik_admin_password: "{{ traefik_admin_password_vault }}"
 
 grafana_admin_username: "grafana-admin"

group_vars/stage_qa/plain.yml

@@ -307,14 +307,8 @@ webdav_jwt_secret: "5646aee6dadc4c19b15f4b65f1e6549f"
 iam_jwt_enabled: true
 iam_jwt_secret: "456ae14462d049d3be76439ef379c7c6"
 
-keycloak_admin_username: "keycloak-admin"
 keycloak_admin_password: "{{ keycloak_admin_password_vault }}"
 
-# Note: all dollar signs in the hash need to be doubled for escaping.
-# To create user:password pair, it's possible to use this command:
-# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
-# TODO should be part of the automation (htpasswd -nb traefik-admin traefik-admin)
-traefik_admin_username: "traefik-admin"
 traefik_admin_password: "{{ traefik_admin_password_vault }}"
 
 grafana_admin_username: "grafana-admin"

host_vars/devscr-keycloak-01.yml

@@ -0,0 +1,6 @@
+---
+
+
+filebeat_enabled: false
+
+pg_backup_hcloud: false

host_vars/devscr-postgres-01.yml

@@ -0,0 +1,4 @@
+---
+
+server_type: "master"
+filebeat_enabled: false

roles/keycloak/defaults/main.yml

@@ -3,5 +3,8 @@
 # TODO doesn't bind to local port (currently used by setup keycloak with ansible)
 service_port_keycloak_external: "8110"
 
+keycloak_admin_username: "keycloak-admin"
+keycloak_admin_password: "keycloak-admin"
+
 keycloak_version: "14.0.0.1"
 keycloak_image: "{{ shared_service_harbor_hostname }}/smardigo/keycloak"

roles/postgres/defaults/main.yml

@@ -367,6 +367,8 @@ postgres_exporter_additional_queries:
           usage: "COUNTER"
           description: "Total time the statement spent writing blocks, in milliseconds (if track_io_timing is enabled, otherwise zero)"
 
+pg_backup_hcloud: true
+
 database_engine: postgres
 backup_dest_dir: "{{ backup_directory }}/{{ database_engine }}/{{ get_current_date }}"
 backup_status_file: '{{ backup_dest_dir }}/backup_finished'

roles/postgres/tasks/base-requirements_backup.yml

@@ -14,6 +14,9 @@
   register: created_volume
   delegate_to: localhost
   become: false
+  when:
+    - pg_backup_hcloud is defined
+    - pg_backup_hcloud
 
 - name: "Getting all hcloud volumes for"
   hcloud_volume_info:

roles/postgres/tasks/master-requirements.yml

@@ -27,6 +27,7 @@
     line: "host    replication     replicator      {{ shared_service_pg_slave_ip }}/32     trust"
     path: /etc/postgresql/{{ default_postgres_version }}/main/pg_hba.conf
   register: pg_hba_conf_replicator
+  when: shared_service_pg_slave_ip is defined
 
 - name: Set 'wal_level = replica' for master postgresql instance
   lineinfile:
@@ -81,6 +82,7 @@
     line: "/postgresql/replication/ {{ shared_service_pg_slave_ip }}/32(rw,crossmnt,root_squash,no_subtree_check,sync)"
     state: present
   register: nfsshare_archive_check
+  when: shared_service_pg_slave_ip is defined
 
 - name: Restart nfs-server if necessary # noqa no-handler
   service:

roles/traefik/defaults/main.yml

@@ -2,3 +2,10 @@
 
 traefik_image_name: "traefik"
 traefik_image_version: "v2.6"
+
+# Note: all dollar signs in the hash need to be doubled for escaping.
+# To create user:password pair, it's possible to use this command:
+# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
+# TODO should be part of the automation (htpasswd -nb <username> <password>)
+traefik_admin_username: "traefik-admin"
+traefik_admin_password: "$apr1$nJfFcFaI$ylS3Qa9BWAvhrMo5tWiD9."

stage-devscr

@@ -1,3 +1,9 @@
+[keycloak]
+devscr-keycloak-01
+
+[postgres]
+devscr-postgres-01
+
 [kube_control_plane]
 devscr-kube-cpl-01
 devscr-kube-cpl-02
@@ -22,6 +28,8 @@ kube_node
 
 [stage_devscr:children]
 k8s_cluster
+keycloak
+postgres
 
 [all:children]
 stage_devscr