service-exposure/keycloak.yaml

   1 #
   2 # ============LICENSE_START=======================================================
   3 #  Copyright (C) 2022-23 Nordix Foundation.
   4 # ================================================================================
   5 # Licensed under the Apache License, Version 2.0 (the "License");
   6 # you may not use this file except in compliance with the License.
   7 # You may obtain a copy of the License at
   8 #
   9 #      http://www.apache.org/licenses/LICENSE-2.0
  10 #
  11 # Unless required by applicable law or agreed to in writing, software
  12 # distributed under the License is distributed on an "AS IS" BASIS,
  13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14 # See the License for the specific language governing permissions and
  15 # limitations under the License.
  16 #
  17 # SPDX-License-Identifier: Apache-2.0
  18 # ============LICENSE_END=========================================================
  19 #
  20 apiVersion: v1
  21 kind: ServiceAccount
  22 metadata:
  23   name: keycloak
  24   namespace: default
  25 ---
  26 apiVersion: v1
  27 kind: Service
  28 metadata:
  29   name: keycloak
  30   labels:
  31     app: keycloak
  32     app.kubernetes.io/instance: keycloak
  33     app.kubernetes.io/name: keycloak
  34 spec:
  35   type: ExternalName
  36   externalName: keycloak.local
  37   ports:
  38   - name: http
  39     port: 8080
  40     targetPort: 8080
  41     nodePort: 31560
  42   - name: https
  43     port: 8443
  44     targetPort: 8443
  45     nodePort: 31561
  46   selector:
  47     app: keycloak
  48   type: LoadBalancer
  49 ---
  50 apiVersion: apps/v1
  51 kind: Deployment
  52 metadata:
  53   name: keycloak
  54   namespace: default
  55   labels:
  56     app: keycloak
  57     app.kubernetes.io/instance: keycloak
  58     app.kubernetes.io/name: keycloak
  59 spec:
  60   replicas: 1
  61   selector:
  62     matchLabels:
  63       app: keycloak
  64   template:
  65     metadata:
  66       labels:
  67         app: keycloak
  68         app.kubernetes.io/instance: keycloak
  69         app.kubernetes.io/name: keycloak
  70     spec:
  71       initContainers:
  72       - name: init-postgres
  73         image: busybox
  74         imagePullPolicy: IfNotPresent
  75         command: ['sh', '-c', 'until nc -vz postgres 5432; do echo waiting for postgres db; sleep 2; done;']
  76       serviceAccountName: keycloak
  77       containers:
  78       - name: keycloak
  79         image: quay.io/keycloak/keycloak:latest
  80         imagePullPolicy: IfNotPresent
  81         args: [
  82                 'start',
  83                 '--https-key-store-file=/etc/x509/https/keystore.jks',
  84                 '--https-key-store-password=$(KC_KEYSTORE_PASSWORD)',
  85                 '--https-key-store-type=JKS',
  86                 '--https-trust-store-file=/etc/x509/https/truststore.jks',
  87                 '--https-trust-store-password=$(KC_KEYSTORE_PASSWORD)',
  88                 '--https-trust-store-type=JKS',
  89                 '--https-client-auth=request',
  90                 '--http-enabled=true'
  91               ]
  92         env:
  93         - name : KEYCLOAK_ADMIN
  94           value: admin
  95         - name : KEYCLOAK_ADMIN_PASSWORD
  96           value: admin
  97         - name : KC_DB
  98           value: postgres
  99         - name : KC_DB_URL
 100           value: "jdbc:postgresql://postgres:5432/keycloak"
 101         - name : KC_DB_USERNAME
 102           value: keycloak
 103         - name : KC_DB_PASSWORD
 104           value: keycloak
 105         - name : KC_HOSTNAME
 106           value: keycloak
 107         - name:  KC_DB_URL_DATABASE
 108           value: keycloak
 109         - name : MY_PROVIDER_JAR_URL
 110           value: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
 111         - name: KC_HEALTH_ENABLED
 112           value: "true"
 113         - name: KC_METRICS_ENABLED
 114           value: "true"
 115         - name: KC_KEYSTORE_PASSWORD
 116           valueFrom:
 117             secretKeyRef:
 118               name: cm-keycloak-jwk-pw
 119               key: password
 120         ports:
 121         - name: http
 122           containerPort: 8080
 123         - name: https
 124           containerPort: 8443
 125         readinessProbe:
 126           httpGet:
 127             scheme: HTTPS
 128             path: /health/ready
 129             port: 8443
 130         volumeMounts:
 131         - name: keycloak-certs
 132           mountPath: /etc/x509/https
 133           readOnly: true
 134         - name: authz-js-policies
 135           mountPath: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
 136       volumes:
 137       - name: keycloak-certs
 138         secret:
 139           secretName: cm-keycloak-server-certs
 140       - name: authz-js-policies
 141         hostPath:
 142            path: /var/keycloak/deployments/authz-js-policies.jar
 143            type: File
 144 ---
 145 apiVersion: networking.istio.io/v1alpha3
 146 kind: Gateway
 147 metadata:
 148   name: kcgateway
 149 spec:
 150   selector:
 151     istio: ingressgateway # use istio default ingress gateway
 152   servers:
 153   - port:
 154       number: 443
 155       name: https
 156       protocol: HTTPS
 157     tls:
 158       mode: PASSTHROUGH
 159     hosts:
 160     - keycloak.est.tech
 161   - port:
 162       number: 80
 163       name: http
 164       protocol: HTTP
 165     hosts:
 166     - "*"
 167 ---
 168 apiVersion: networking.istio.io/v1alpha3
 169 kind: VirtualService
 170 metadata:
 171   name: keycloak-tls-vs
 172 spec:
 173   hosts:
 174   - keycloak.est.tech
 175   gateways:
 176   - kcgateway
 177   tls:
 178   - match:
 179     - port: 443
 180       sniHosts:
 181       - keycloak.est.tech
 182     route:
 183     - destination:
 184         host: keycloak.default.svc.cluster.local
 185         port:
 186           number: 8443
 187 ---
 188 apiVersion: networking.istio.io/v1beta1
 189 kind: VirtualService
 190 metadata:
 191   name: keycloak-vs
 192 spec:
 193   hosts:
 194   - "*"
 195   gateways:
 196   - kcgateway
 197   http:
 198   - name: "keycloak-routes"
 199     match:
 200     - uri:
 201         prefix: "/realms"
 202     route:
 203     - destination:
 204         port:
 205           number: 8080
 206         host: keycloak.default.svc.cluster.local
 207 ---