feat(keycloak): add Keycloak module and Nomad job specification

2025-02-20 12:01:39 +00:00 · 2025-02-20 12:01:39 +00:00 · 545d451d92
commit 545d451d92
parent e0fdb684fb
3 changed files with 128 additions and 0 deletions
--- a/modules/keycloak/jobspec.nomad.hcl
+++ b/modules/keycloak/jobspec.nomad.hcl
@ -0,0 +1,121 @@
+job "keycloak" {
+
+  group "keycloak" {
+
+    network {
+      mode = "bridge"
+      port "http" {
+        to = 8080
+      }
+      port "envoy_metrics" {
+        to = 9102
+      }
+    }
+
+    service {
+      provider = "consul"
+      port     = "8080"
+
+      meta {
+        envoy_metrics_port = "${NOMAD_HOST_PORT_envoy_metrics}"
+      }
+
+      connect {
+        sidecar_service {
+          proxy {
+            config {
+              protocol = "http"
+            }
+            expose {
+              path {
+                path            = "/metrics"
+                protocol        = "http"
+                local_path_port = 9102
+                listener_port   = "envoy_metrics"
+              }
+            }
+            transparent_proxy {}
+          }
+        }
+      }
+    }
+
+    task "keycloak" {
+      driver = "docker"
+
+      config {
+        image = "quay.io/keycloak/keycloak:26.1.2"
+
+        args = ["start"]
+      }
+
+      env = {
+        KC_DB = "postgres"
+        KC_DB_USERNAME = "keycloak"
+        KC_DB_URL_HOST = "martinibar.lan"
+        KC_DB_URL_PORT = "5433"
+        KC_DB_URL_PROPERTIES = "?sslmode=disable"
+        KC_DB_URL_DATABASE = "keycloak"
+        KC_HTTP_ENABLED = "true"
+        KC_PROXY_HEADERS = "xforwarded"
+        KC_HTTP_HOST = "127.0.0.1"
+        KC_HOSTNAME = "keycloak.brmartin.co.uk"
+      }
+
+      resources {
+        cpu        = 500
+        memory     = 512
+      }
+
+      template {
+        data = <<-EOF
+          {{ with nomadVar "nomad/jobs/keycloak/keycloak/keycloak" }}
+          KC_DB_PASSWORD={{.keycloak_db_password}}
+          {{ end }}
+          EOF
+
+        destination = "secrets/file.env"
+        env         = true
+      }
+    }
+
+    meta = {
+      "service.name" = "keycloak"
+    }
+  }
+
+  group "keycloak-ingress-group" {
+
+    network {
+      mode = "bridge"
+      port "inbound" {
+        to = 8080
+      }
+    }
+
+    service {
+      port = "inbound"
+      tags = [
+        "traefik.enable=true",
+
+        "traefik.http.routers.keycloak.rule=Host(`keycloak.brmartin.co.uk`)",
+        "traefik.http.routers.keycloak.entrypoints=websecure",
+      ]
+
+      connect {
+        gateway {
+          ingress {
+            listener {
+              port     = 8080
+              protocol = "http"
+              service {
+                name  = "keycloak-keycloak"
+                hosts = ["*"]
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/modules/keycloak/main.tf
+++ b/modules/keycloak/main.tf
@ -0,0 +1,3 @@
+resource "nomad_job" "keycloak" {
+  jobspec = file("${path.module}/jobspec.nomad.hcl")
+}