service-exposure/keycloak.yaml

   1 #
   2 # ============LICENSE_START=======================================================
   3 #  Copyright (C) 2022 Nordix Foundation.
   4 # ================================================================================
   5 # Licensed under the Apache License, Version 2.0 (the "License");
   6 # you may not use this file except in compliance with the License.
   7 # You may obtain a copy of the License at
   8 #
   9 #      http://www.apache.org/licenses/LICENSE-2.0
  10 #
  11 # Unless required by applicable law or agreed to in writing, software
  12 # distributed under the License is distributed on an "AS IS" BASIS,
  13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14 # See the License for the specific language governing permissions and
  15 # limitations under the License.
  16 #
  17 # SPDX-License-Identifier: Apache-2.0
  18 # ============LICENSE_END=========================================================
  19 #
  20 apiVersion: v1
  21 kind: ServiceAccount
  22 metadata:
  23   name: keycloak
  24   namespace: default
  25 ---
  26 apiVersion: v1
  27 kind: Service
  28 metadata:
  29   name: keycloak
  30   labels:
  31     app: keycloak
  32 spec:
  33   type: ExternalName
  34   externalName: keycloak.local
  35   ports:
  36   - name: http
  37     port: 8080
  38     targetPort: 8080
  39     nodePort: 31560
  40   - name: https
  41     port: 8443
  42     targetPort: 8443
  43     nodePort: 31561
  44   selector:
  45     app: keycloak
  46   type: LoadBalancer
  47 ---
  48 apiVersion: apps/v1
  49 kind: Deployment
  50 metadata:
  51   name: keycloak
  52   namespace: default
  53   labels:
  54     app: keycloak
  55 spec:
  56   replicas: 1
  57   selector:
  58     matchLabels:
  59       app: keycloak
  60   template:
  61     metadata:
  62       labels:
  63         app: keycloak
  64     spec:
  65       initContainers:
  66       - name: init-postgres
  67         image: busybox
  68         imagePullPolicy: IfNotPresent
  69         command: ['sh', '-c', 'until nc -vz postgres 5432; do echo waiting for postgres db; sleep 2; done;']
  70       serviceAccountName: keycloak
  71       containers:
  72       - name: keycloak
  73         image: quay.io/keycloak/keycloak:16.1.1
  74         imagePullPolicy: IfNotPresent
  75         env:
  76         - name: KEYCLOAK_USER
  77           value: "admin"
  78         - name: KEYCLOAK_PASSWORD
  79           value: "admin"
  80         - name: KEYCLOAK_HTTPS_PORT
  81           value: "8443"
  82         - name: PROXY_ADDRESS_FORWARDING
  83           value: "true"
  84         - name: MANAGEMENT_USER
  85           value: "wildfly-admin"
  86         - name: MANAGEMENT_PASSWORD
  87           value: "secret"
  88         - name: INGRESS_ENABLED
  89           value: "false"
  90         - name: DB_VENDOR
  91           value: "postgres"
  92         - name: DB_ADDR
  93           value: "postgres"
  94         - name: DB_PORT
  95           value: "5432"
  96         - name: DB_DATABASE
  97           value: "keycloak"
  98         - name: DB_USER
  99           value: "keycloak"
 100         - name : DB_PASSWORD
 101           value: "keycloak"
 102         - name : X509_CA_BUNDLE
 103           value: /etc/x509/https/rootCA.crt
 104         ports:
 105         - name: http
 106           containerPort: 8080
 107         - name: https
 108           containerPort: 8443
 109         readinessProbe:
 110           httpGet:
 111             path: /auth/realms/master
 112             port: 8080
 113         volumeMounts:
 114         - name: keycloak-certs
 115           mountPath: /etc/x509/https
 116       volumes:
 117       - name: keycloak-certs
 118         hostPath:
 119            path: /var/keycloak/certs
 120            type: Directory
 121 ---
 122 apiVersion: networking.istio.io/v1alpha3
 123 kind: Gateway
 124 metadata:
 125   name: kcgateway
 126 spec:
 127   selector:
 128     istio: ingressgateway # use istio default ingress gateway
 129   servers:
 130   - port:
 131       number: 443
 132       name: https
 133       protocol: HTTPS
 134     tls:
 135       mode: PASSTHROUGH
 136     hosts:
 137     - keycloak.oran.org
 138   - port:
 139       number: 80
 140       name: http
 141       protocol: HTTP
 142     hosts:
 143     - "*"
 144 ---
 145 apiVersion: networking.istio.io/v1alpha3
 146 kind: VirtualService
 147 metadata:
 148   name: keycloak-tls-vs
 149 spec:
 150   hosts:
 151   - keycloak.oran.org
 152   gateways:
 153   - kcgateway
 154   tls:
 155   - match:
 156     - port: 443
 157       sniHosts:
 158       - keycloak.oran.org
 159     route:
 160     - destination:
 161         host: keycloak.default.svc.cluster.local
 162         port:
 163           number: 8443
 164 ---
 165 apiVersion: networking.istio.io/v1beta1
 166 kind: VirtualService
 167 metadata:
 168   name: keycloak-vs
 169 spec:
 170   hosts:
 171   - "*"
 172   gateways:
 173   - kcgateway
 174   http:
 175   - name: "keycloak-routes"
 176     match:
 177     - uri:
 178         prefix: "/auth"
 179     route:
 180     - destination:
 181         port:
 182           number: 8080
 183         host: keycloak.default.svc.cluster.local
 184 ---