service-exposure/keycloak.yaml

   1 #
   2 # ============LICENSE_START=======================================================
   3 #  Copyright (C) 2022 Nordix Foundation.
   4 # ================================================================================
   5 # Licensed under the Apache License, Version 2.0 (the "License");
   6 # you may not use this file except in compliance with the License.
   7 # You may obtain a copy of the License at
   8 #
   9 #      http://www.apache.org/licenses/LICENSE-2.0
  10 #
  11 # Unless required by applicable law or agreed to in writing, software
  12 # distributed under the License is distributed on an "AS IS" BASIS,
  13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14 # See the License for the specific language governing permissions and
  15 # limitations under the License.
  16 #
  17 # SPDX-License-Identifier: Apache-2.0
  18 # ============LICENSE_END=========================================================
  19 #
  20 apiVersion: v1
  21 kind: ServiceAccount
  22 metadata:
  23   name: keycloak
  24   namespace: default
  25 ---
  26 apiVersion: v1
  27 kind: Service
  28 metadata:
  29   name: keycloak
  30   namespace: default
  31   labels:
  32     app: keycloak
  33 spec:
  34   type: ExternalName
  35   externalName: keycloak.local
  36   ports:
  37   - name: http
  38     port: 8080
  39     targetPort: 8080
  40     nodePort: 31560
  41   - name: https
  42     port: 8443
  43     targetPort: 8443
  44     nodePort: 31561
  45   selector:
  46     app: keycloak
  47   type: LoadBalancer
  48 ---
  49 apiVersion: apps/v1
  50 kind: Deployment
  51 metadata:
  52   name: keycloak
  53   namespace: default
  54   labels:
  55     app: keycloak
  56 spec:
  57   replicas: 1
  58   selector:
  59     matchLabels:
  60       app: keycloak
  61   template:
  62     metadata:
  63       labels:
  64         app: keycloak
  65     spec:
  66       initContainers:
  67       - name: init-postgres
  68         image: busybox
  69         imagePullPolicy: IfNotPresent
  70         command: ['sh', '-c', 'until nc -vz postgres 5432; do echo waiting for postgres db; sleep 2; done;']
  71       serviceAccountName: keycloak
  72       containers:
  73       - name: keycloak
  74         image: quay.io/keycloak/keycloak:16.1.1
  75         imagePullPolicy: IfNotPresent
  76         env:
  77         - name: KEYCLOAK_USER
  78           value: "admin"
  79         - name: KEYCLOAK_PASSWORD
  80           value: "admin"
  81         - name: KEYCLOAK_HTTPS_PORT
  82           value: "8443"
  83         - name: PROXY_ADDRESS_FORWARDING
  84           value: "true"
  85         - name: MANAGEMENT_USER
  86           value: "wildfly-admin"
  87         - name: MANAGEMENT_PASSWORD
  88           value: "secret"
  89         - name: INGRESS_ENABLED
  90           value: "false"
  91         - name: DB_VENDOR
  92           value: "postgres"
  93         - name: DB_ADDR
  94           value: "postgres"
  95         - name: DB_PORT
  96           value: "5432"
  97         - name: DB_DATABASE
  98           value: "keycloak"
  99         - name: DB_USER
 100           value: "keycloak"
 101         - name : DB_PASSWORD
 102           value: "keycloak"
 103         - name : X509_CA_BUNDLE
 104           value: /etc/x509/https/rootCA.crt
 105         ports:
 106         - name: http
 107           containerPort: 8080
 108         - name: https
 109           containerPort: 8443
 110         readinessProbe:
 111           httpGet:
 112             path: /auth/realms/master
 113             port: 8080
 114         volumeMounts:
 115         - name: keycloak-certs
 116           mountPath: /etc/x509/https
 117       volumes:
 118       - name: keycloak-certs
 119         hostPath:
 120            path: /var/keycloak/certs
 121            type: Directory
 122 ---
 123 apiVersion: networking.istio.io/v1alpha3
 124 kind: Gateway
 125 metadata:
 126   name: kcgateway
 127   namespace: default
 128 spec:
 129   selector:
 130     istio: ingressgateway # use istio default ingress gateway
 131   servers:
 132   - port:
 133       number: 443
 134       name: https
 135       protocol: HTTPS
 136     tls:
 137       mode: PASSTHROUGH
 138     hosts:
 139     - keycloak.oran.org
 140   - port:
 141       number: 80
 142       name: http
 143       protocol: HTTP
 144     hosts:
 145     - "*"
 146 ---
 147 apiVersion: networking.istio.io/v1alpha3
 148 kind: VirtualService
 149 metadata:
 150   name: keycloak-tls-vs
 151   namespace: default
 152 spec:
 153   hosts:
 154   - keycloak.oran.org
 155   gateways:
 156   - kcgateway
 157   tls:
 158   - match:
 159     - port: 443
 160       sniHosts:
 161       - keycloak.oran.org
 162     route:
 163     - destination:
 164         host: keycloak.default.svc.cluster.local
 165         port:
 166           number: 8443
 167 ---
 168 apiVersion: networking.istio.io/v1beta1
 169 kind: VirtualService
 170 metadata:
 171   name: keycloak-vs
 172   namespace: default
 173 spec:
 174   hosts:
 175   - "*"
 176   gateways:
 177   - kcgateway
 178   http:
 179   - name: "keycloak-routes"
 180     match:
 181     - uri:
 182         prefix: "/auth"
 183     route:
 184     - destination:
 185         port:
 186           number: 8080
 187         host: keycloak.default.svc.cluster.local
 188 ---