# # ============LICENSE_START======================================================= # Copyright (C) 2022-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # SPDX-License-Identifier: Apache-2.0 # ============LICENSE_END========================================================= # apiVersion: v1 kind: ServiceAccount metadata: name: keycloak namespace: default --- apiVersion: v1 kind: Service metadata: name: keycloak labels: app: keycloak spec: type: ExternalName externalName: keycloak.local ports: - name: http port: 8080 targetPort: 8080 nodePort: 31560 - name: https port: 8443 targetPort: 8443 nodePort: 31561 selector: app: keycloak type: LoadBalancer --- apiVersion: apps/v1 kind: Deployment metadata: name: keycloak namespace: default labels: app: keycloak spec: replicas: 1 selector: matchLabels: app: keycloak template: metadata: labels: app: keycloak spec: initContainers: - name: init-postgres image: busybox imagePullPolicy: IfNotPresent command: ['sh', '-c', 'until nc -vz postgres 5432; do echo waiting for postgres db; sleep 2; done;'] serviceAccountName: keycloak containers: - name: keycloak image: quay.io/keycloak/keycloak:latest imagePullPolicy: IfNotPresent args: [ 'start', '--https-key-store-file=/etc/x509/https/server.keystore', '--https-key-store-password=changeit', '--https-key-store-type=PKCS12', '--https-trust-store-file=/etc/x509/https/server.truststore', '--https-trust-store-password=changeit', '--https-trust-store-type=PKCS12', '--https-client-auth=request', '--http-enabled=true' ] env: - name : X509_CA_BUNDLE value: /etc/x509/https/rootCA.crt - name : KEYCLOAK_ADMIN value: admin - name : KEYCLOAK_ADMIN_PASSWORD value: admin - name : KC_DB value: postgres - name : KC_DB_URL value: "jdbc:postgresql://postgres:5432/keycloak" - name : KC_DB_USERNAME value: keycloak - name : KC_DB_PASSWORD value: keycloak - name : KC_HOSTNAME value: keycloak - name : MY_PROVIDER_JAR_URL value: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar - name: KC_HEALTH_ENABLED value: "true" - name: KC_METRICS_ENABLED value: "true" ports: - name: http containerPort: 8080 - name: https containerPort: 8443 readinessProbe: httpGet: scheme: HTTPS path: /health/ready port: 8443 volumeMounts: - name: keycloak-certs mountPath: /etc/x509/https - name: authz-js-policies mountPath: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar volumes: - name: keycloak-certs hostPath: path: /var/keycloak/certs type: Directory - name: authz-js-policies hostPath: path: /var/keycloak/deployments/authz-js-policies.jar type: File --- apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: kcgateway spec: selector: istio: ingressgateway # use istio default ingress gateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: PASSTHROUGH hosts: - keycloak.est.tech - port: number: 80 name: http protocol: HTTP hosts: - "*" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: keycloak-tls-vs spec: hosts: - keycloak.est.tech gateways: - kcgateway tls: - match: - port: 443 sniHosts: - keycloak.est.tech route: - destination: host: keycloak.default.svc.cluster.local port: number: 8443 --- apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: keycloak-vs spec: hosts: - "*" gateways: - kcgateway http: - name: "keycloak-routes" match: - uri: prefix: "/realms" route: - destination: port: number: 8080 host: keycloak.default.svc.cluster.local ---