nonrtric-plt-auth-token-fetch:1.1.1 Release docker image
[nonrtric.git] / service-exposure / keycloak.yaml
1 #
2 # ============LICENSE_START=======================================================
3 #  Copyright (C) 2022-23 Nordix Foundation.
4 # ================================================================================
5 # Licensed under the Apache License, Version 2.0 (the "License");
6 # you may not use this file except in compliance with the License.
7 # You may obtain a copy of the License at
8 #
9 #      http://www.apache.org/licenses/LICENSE-2.0
10 #
11 # Unless required by applicable law or agreed to in writing, software
12 # distributed under the License is distributed on an "AS IS" BASIS,
13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 # See the License for the specific language governing permissions and
15 # limitations under the License.
16 #
17 # SPDX-License-Identifier: Apache-2.0
18 # ============LICENSE_END=========================================================
19 #
20 apiVersion: v1
21 kind: ServiceAccount
22 metadata:
23   name: keycloak
24   namespace: default
25 ---
26 apiVersion: v1
27 kind: Service
28 metadata:
29   name: keycloak
30   labels:
31     app: keycloak
32     app.kubernetes.io/instance: keycloak
33     app.kubernetes.io/name: keycloak
34 spec:
35   type: ExternalName
36   externalName: keycloak.local
37   ports:
38   - name: http
39     port: 8080
40     targetPort: 8080
41     nodePort: 31560
42   - name: https
43     port: 8443
44     targetPort: 8443
45     nodePort: 31561
46   selector:
47     app: keycloak
48   type: LoadBalancer
49 ---
50 apiVersion: apps/v1
51 kind: Deployment
52 metadata:
53   name: keycloak
54   namespace: default
55   labels:
56     app: keycloak
57     app.kubernetes.io/instance: keycloak
58     app.kubernetes.io/name: keycloak
59 spec:
60   replicas: 1
61   selector:
62     matchLabels:
63       app: keycloak
64   template:
65     metadata:
66       labels:
67         app: keycloak
68         app.kubernetes.io/instance: keycloak
69         app.kubernetes.io/name: keycloak
70     spec:
71       initContainers:
72       - name: init-postgres
73         image: busybox
74         imagePullPolicy: IfNotPresent
75         command: ['sh', '-c', 'until nc -vz postgres 5432; do echo waiting for postgres db; sleep 2; done;']
76       serviceAccountName: keycloak
77       containers:
78       - name: keycloak
79         image: quay.io/keycloak/keycloak:latest
80         imagePullPolicy: IfNotPresent
81         args: [
82                 'start',
83                 '--https-key-store-file=/etc/x509/https/keystore.jks',
84                 '--https-key-store-password=$(KC_KEYSTORE_PASSWORD)',
85                 '--https-key-store-type=JKS',
86                 '--https-trust-store-file=/etc/x509/https/truststore.jks',
87                 '--https-trust-store-password=$(KC_KEYSTORE_PASSWORD)',
88                 '--https-trust-store-type=JKS',
89                 '--https-client-auth=request',
90                 '--http-enabled=true'
91               ]
92         env:
93         - name : KEYCLOAK_ADMIN
94           value: admin
95         - name : KEYCLOAK_ADMIN_PASSWORD
96           value: admin
97         - name : KC_DB
98           value: postgres
99         - name : KC_DB_URL
100           value: "jdbc:postgresql://postgres:5432/keycloak"
101         - name : KC_DB_USERNAME
102           value: keycloak
103         - name : KC_DB_PASSWORD
104           value: keycloak
105         - name : KC_HOSTNAME
106           value: keycloak
107         - name:  KC_DB_URL_DATABASE
108           value: keycloak
109         - name : MY_PROVIDER_JAR_URL
110           value: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
111         - name: KC_HEALTH_ENABLED
112           value: "true"
113         - name: KC_METRICS_ENABLED
114           value: "true"
115         - name: KC_KEYSTORE_PASSWORD
116           valueFrom:
117             secretKeyRef:
118               name: cm-keycloak-jwk-pw
119               key: password
120         ports:
121         - name: http
122           containerPort: 8080
123         - name: https
124           containerPort: 8443
125         readinessProbe:
126           httpGet:
127             scheme: HTTPS
128             path: /health/ready
129             port: 8443
130         volumeMounts:
131         - name: keycloak-certs
132           mountPath: /etc/x509/https
133           readOnly: true
134         - name: authz-js-policies
135           mountPath: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
136       volumes:
137       - name: keycloak-certs
138         secret:
139           secretName: cm-keycloak-server-certs
140       - name: authz-js-policies
141         hostPath:
142            path: /var/keycloak/deployments/authz-js-policies.jar
143            type: File
144 ---
145 apiVersion: networking.istio.io/v1alpha3
146 kind: Gateway
147 metadata:
148   name: kcgateway
149 spec:
150   selector:
151     istio: ingressgateway # use istio default ingress gateway
152   servers:
153   - port:
154       number: 443
155       name: https
156       protocol: HTTPS
157     tls:
158       mode: PASSTHROUGH
159     hosts:
160     - keycloak.est.tech
161   - port:
162       number: 80
163       name: http
164       protocol: HTTP
165     hosts:
166     - "*"
167 ---
168 apiVersion: networking.istio.io/v1alpha3
169 kind: VirtualService
170 metadata:
171   name: keycloak-tls-vs
172 spec:
173   hosts:
174   - keycloak.est.tech
175   gateways:
176   - kcgateway
177   tls:
178   - match:
179     - port: 443
180       sniHosts:
181       - keycloak.est.tech
182     route:
183     - destination:
184         host: keycloak.default.svc.cluster.local
185         port:
186           number: 8443
187 ---
188 apiVersion: networking.istio.io/v1beta1
189 kind: VirtualService
190 metadata:
191   name: keycloak-vs
192 spec:
193   hosts:
194   - "*"
195   gateways:
196   - kcgateway
197   http:
198   - name: "keycloak-routes"
199     match:
200     - uri:
201         prefix: "/realms"
202     route:
203     - destination:
204         port:
205           number: 8080
206         host: keycloak.default.svc.cluster.local
207 ---