d-bis/Sankofa
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements

Browse Source 
- Add comprehensive database migrations (001-024) for schema evolution
- Enhance API schema with expanded type definitions and resolvers
- Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth
- Implement new services: AI optimization, billing, blockchain, compliance, marketplace
- Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage)
- Update Crossplane provider with enhanced VM management capabilities
- Add comprehensive test suite for API endpoints and services
- Update frontend components with improved GraphQL subscriptions and real-time updates
- Enhance security configurations and headers (CSP, CORS, etc.)
- Update documentation and configuration files
- Add new CI/CD workflows and validation scripts
- Implement design system improvements and UI enhancements
This commit is contained in:
defiQUG
2025-12-12 18:01:35 -08:00
parent e01131efaf
commit 9daf1fd378
968 changed files with 160890 additions and 1092 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
gitops/apps/keycloak/application.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: keycloak
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/sankofa/sankofa-phoenix-gitops
targetRevision: main
path: gitops/apps/keycloak
destination:
server: https://kubernetes.default.svc
namespace: keycloak
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

132
gitops/apps/keycloak/deployment.yaml Normal file
View File

@@ -0,0 +1,132 @@
apiVersion: v1
kind: Secret
metadata:
name: keycloak-credentials
namespace: keycloak
type: Opaque
stringData:
username: admin
password: ${KEYCLOAK_ADMIN_PASSWORD:-change-me}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycloak
namespace: keycloak
spec:
replicas: 1
selector:
matchLabels:
app: keycloak
template:
metadata:
labels:
app: keycloak
spec:
containers:
- name: keycloak
image: quay.io/keycloak/keycloak:23.0
args:
- start
- --optimized
- --db=postgres
- --db-url-host=keycloak-postgres
- --db-url-port=5432
- --db-username=$(DB_USERNAME)
- --db-password=$(DB_PASSWORD)
- --db-url-database=keycloak
- --http-relative-path=/
- --proxy-headers=xforwarded
- --hostname-strict=false
- --hostname-strict-https=false
env:
- name: KEYCLOAK_ADMIN
valueFrom:
secretKeyRef:
name: keycloak-credentials
key: username
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-credentials
key: password
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: keycloak-db-credentials
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-db-credentials
key: password
- name: KEYCLOAK_MULTI_REALM
value: "true"
ports:
- containerPort: 8080
name: http
- containerPort: 8443
name: https
livenessProbe:
httpGet:
path: /health/live
port: 8080
initialDelaySeconds: 60
periodSeconds: 30
readinessProbe:
httpGet:
path: /health/ready
port: 8080
initialDelaySeconds: 60
periodSeconds: 30
resources:
requests:
memory: "512Mi"
cpu: "500m"
limits:
memory: "1Gi"
cpu: "1000m"
---
apiVersion: v1
kind: Service
metadata:
name: keycloak
namespace: keycloak
spec:
selector:
app: keycloak
ports:
- port: 8080
targetPort: 8080
name: http
- port: 8443
targetPort: 8443
name: https
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak
namespace: keycloak
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- keycloak.sankofa.nexus
secretName: keycloak-tls
rules:
- host: keycloak.sankofa.nexus
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: keycloak
port:
number: 8080

87
gitops/apps/keycloak/keycloak-clients.yaml Normal file
View File

@@ -0,0 +1,87 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: keycloak-client-config
namespace: keycloak
data:
# Client configuration script for Keycloak
configure-clients.sh: |
#!/bin/bash
# Configure Keycloak clients via REST API
# This should be run after Keycloak is deployed
KEYCLOAK_URL="${KEYCLOAK_URL:-http://localhost:8080}"
ADMIN_USER="${KEYCLOAK_ADMIN:-admin}"
ADMIN_PASSWORD="${KEYCLOAK_ADMIN_PASSWORD:-admin}"
REALM="${REALM:-master}"
# Get admin token
TOKEN=$(curl -s -X POST "${KEYCLOAK_URL}/realms/${REALM}/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=${ADMIN_USER}" \
-d "password=${ADMIN_PASSWORD}" \
-d "grant_type=password" \
-d "client_id=admin-cli" | jq -r '.access_token')
if [ "$TOKEN" == "null" ] || [ -z "$TOKEN" ]; then
echo "Failed to get admin token"
exit 1
fi
# Create sankofa-api client (confidential)
curl -s -X POST "${KEYCLOAK_URL}/admin/realms/${REALM}/clients" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"clientId": "sankofa-api",
"name": "Sankofa API Client",
"description": "GraphQL API backend client",
"enabled": true,
"clientAuthenticatorType": "client-secret",
"secret": "'${SANKOFA_API_CLIENT_SECRET:-generate-me}'",
"standardFlowEnabled": false,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": true,
"publicClient": false,
"protocol": "openid-connect",
"attributes": {
"access.token.lifespan": "300",
"client.secret.creation.time": "'$(date +%s)'"
}
}'
# Create portal-client (confidential)
curl -s -X POST "${KEYCLOAK_URL}/admin/realms/${REALM}/clients" \
-H "Authorization: Bearer ${TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"clientId": "portal-client",
"name": "Sankofa Portal Client",
"description": "Portal frontend client",
"enabled": true,
"clientAuthenticatorType": "client-secret",
"secret": "'${PORTAL_CLIENT_SECRET:-generate-me}'",
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": false,
"protocol": "openid-connect",
"redirectUris": [
"http://localhost:3000/*",
"https://portal.sankofa.nexus/*",
"https://*.sankofa.nexus/*"
],
"webOrigins": [
"http://localhost:3000",
"https://portal.sankofa.nexus",
"https://*.sankofa.nexus"
],
"attributes": {
"access.token.lifespan": "1800"
}
}'
echo "Keycloak clients configured successfully"

8
gitops/apps/keycloak/namespace.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: Namespace
metadata:
name: keycloak
labels:
app: keycloak
component: identity

90
gitops/apps/keycloak/postgres.yaml Normal file
View File

@@ -0,0 +1,90 @@
apiVersion: v1
kind: Secret
metadata:
name: keycloak-db-credentials
namespace: keycloak
type: Opaque
stringData:
username: keycloak
password: ${KEYCLOAK_DB_PASSWORD:-change-me}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: keycloak-db-config
namespace: keycloak
data:
POSTGRES_DB: keycloak
POSTGRES_USER: keycloak
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: keycloak-postgres
namespace: keycloak
spec:
serviceName: keycloak-postgres
replicas: 1
selector:
matchLabels:
app: keycloak-postgres
template:
metadata:
labels:
app: keycloak-postgres
spec:
containers:
- name: postgres
image: postgres:15-alpine
env:
- name: POSTGRES_DB
valueFrom:
configMapKeyRef:
name: keycloak-db-config
key: POSTGRES_DB
- name: POSTGRES_USER
valueFrom:
configMapKeyRef:
name: keycloak-db-config
key: POSTGRES_USER
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: keycloak-db-credentials
key: password
ports:
- containerPort: 5432
name: postgres
volumeMounts:
- name: data
mountPath: /var/lib/postgresql/data
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "512Mi"
cpu: "500m"
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: Service
metadata:
name: keycloak-postgres
namespace: keycloak
spec:
selector:
app: keycloak-postgres
ports:
- port: 5432
targetPort: 5432
name: postgres
clusterIP: None