service-exposure/keycloak.yaml

   1 #
   2 # ============LICENSE_START=======================================================
   3 #  Copyright (C) 2022-2023 Nordix Foundation.
   4 # ================================================================================
   5 # Licensed under the Apache License, Version 2.0 (the "License");
   6 # you may not use this file except in compliance with the License.
   7 # You may obtain a copy of the License at
   8 #
   9 #      http://www.apache.org/licenses/LICENSE-2.0
  10 #
  11 # Unless required by applicable law or agreed to in writing, software
  12 # distributed under the License is distributed on an "AS IS" BASIS,
  13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14 # See the License for the specific language governing permissions and
  15 # limitations under the License.
  16 #
  17 # SPDX-License-Identifier: Apache-2.0
  18 # ============LICENSE_END=========================================================
  19 #
  20 apiVersion: v1
  21 kind: ServiceAccount
  22 metadata:
  23   name: keycloak
  24   namespace: default
  25 ---
  26 apiVersion: v1
  27 kind: Service
  28 metadata:
  29   name: keycloak
  30   labels:
  31     app: keycloak
  32 spec:
  33   type: ExternalName
  34   externalName: keycloak.local
  35   ports:
  36   - name: http
  37     port: 8080
  38     targetPort: 8080
  39     nodePort: 31560
  40   - name: https
  41     port: 8443
  42     targetPort: 8443
  43     nodePort: 31561
  44   selector:
  45     app: keycloak
  46   type: LoadBalancer
  47 ---
  48 apiVersion: apps/v1
  49 kind: Deployment
  50 metadata:
  51   name: keycloak
  52   namespace: default
  53   labels:
  54     app: keycloak
  55 spec:
  56   replicas: 1
  57   selector:
  58     matchLabels:
  59       app: keycloak
  60   template:
  61     metadata:
  62       labels:
  63         app: keycloak
  64     spec:
  65       initContainers:
  66       - name: init-postgres
  67         image: busybox
  68         imagePullPolicy: IfNotPresent
  69         command: ['sh', '-c', 'until nc -vz postgres 5432; do echo waiting for postgres db; sleep 2; done;']
  70       serviceAccountName: keycloak
  71       containers:
  72       - name: keycloak
  73         image: quay.io/keycloak/keycloak:latest
  74         imagePullPolicy: IfNotPresent
  75         args: [
  76                 'start',
  77                 '--https-key-store-file=/etc/x509/https/server.keystore',
  78                 '--https-key-store-password=changeit',
  79                 '--https-key-store-type=PKCS12',
  80                 '--https-trust-store-file=/etc/x509/https/server.truststore',
  81                 '--https-trust-store-password=changeit',
  82                 '--https-trust-store-type=PKCS12',
  83                 '--https-client-auth=request',
  84                 '--http-enabled=true'
  85               ]
  86
  87         env:
  88         - name : X509_CA_BUNDLE
  89           value: /etc/x509/https/rootCA.crt
  90         - name : KEYCLOAK_ADMIN
  91           value: admin
  92         - name : KEYCLOAK_ADMIN_PASSWORD
  93           value: admin
  94         - name : KC_DB
  95           value: postgres
  96         - name : KC_DB_URL
  97           value: "jdbc:postgresql://postgres:5432/keycloak"
  98         - name : KC_DB_USERNAME
  99           value: keycloak
 100         - name : KC_DB_PASSWORD
 101           value: keycloak
 102         - name : KC_HOSTNAME
 103           value: keycloak
 104         - name : MY_PROVIDER_JAR_URL
 105           value: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
 106         - name: KC_HEALTH_ENABLED
 107           value: "true"
 108         - name: KC_METRICS_ENABLED
 109           value: "true"
 110         ports:
 111         - name: http
 112           containerPort: 8080
 113         - name: https
 114           containerPort: 8443
 115         readinessProbe:
 116           httpGet:
 117             scheme: HTTPS
 118             path: /health/ready
 119             port: 8443
 120         volumeMounts:
 121         - name: keycloak-certs
 122           mountPath: /etc/x509/https
 123         - name: authz-js-policies
 124           mountPath: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
 125       volumes:
 126       - name: keycloak-certs
 127         hostPath:
 128            path: /var/keycloak/certs
 129            type: Directory
 130       - name: authz-js-policies
 131         hostPath:
 132            path: /var/keycloak/deployments/authz-js-policies.jar
 133            type: File
 134 ---
 135 apiVersion: networking.istio.io/v1alpha3
 136 kind: Gateway
 137 metadata:
 138   name: kcgateway
 139 spec:
 140   selector:
 141     istio: ingressgateway # use istio default ingress gateway
 142   servers:
 143   - port:
 144       number: 443
 145       name: https
 146       protocol: HTTPS
 147     tls:
 148       mode: PASSTHROUGH
 149     hosts:
 150     - keycloak.est.tech
 151   - port:
 152       number: 80
 153       name: http
 154       protocol: HTTP
 155     hosts:
 156     - "*"
 157 ---
 158 apiVersion: networking.istio.io/v1alpha3
 159 kind: VirtualService
 160 metadata:
 161   name: keycloak-tls-vs
 162 spec:
 163   hosts:
 164   - keycloak.est.tech
 165   gateways:
 166   - kcgateway
 167   tls:
 168   - match:
 169     - port: 443
 170       sniHosts:
 171       - keycloak.est.tech
 172     route:
 173     - destination:
 174         host: keycloak.default.svc.cluster.local
 175         port:
 176           number: 8443
 177 ---
 178 apiVersion: networking.istio.io/v1beta1
 179 kind: VirtualService
 180 metadata:
 181   name: keycloak-vs
 182 spec:
 183   hosts:
 184   - "*"
 185   gateways:
 186   - kcgateway
 187   http:
 188   - name: "keycloak-routes"
 189     match:
 190     - uri:
 191         prefix: "/realms"
 192     route:
 193     - destination:
 194         port:
 195           number: 8080
 196         host: keycloak.default.svc.cluster.local
 197 ---