Test FTC100 fails since A1-SIM update

[nonrtric.git] / service-exposure / keycloak.yaml

diff --git a/service-exposure/keycloak.yaml b/service-exposure/keycloak.yaml
index 2beace2..a23b2cc 100644 (file)
--- a/service-exposure/keycloak.yaml
+++ b/service-exposure/keycloak.yaml
@@ -1,6 +1,6 @@
 #
 # ============LICENSE_START=======================================================
-#  Copyright (C) 2022 Nordix Foundation.
+#  Copyright (C) 2022-23 Nordix Foundation.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -27,9 +27,10 @@ apiVersion: v1
 kind: Service
 metadata:
   name: keycloak
-  namespace: default
   labels:
     app: keycloak
+    app.kubernetes.io/instance: keycloak
+    app.kubernetes.io/name: keycloak
 spec:
   type: ExternalName
   externalName: keycloak.local
@@ -53,6 +54,8 @@ metadata:
   namespace: default
   labels:
     app: keycloak
+    app.kubernetes.io/instance: keycloak
+    app.kubernetes.io/name: keycloak
 spec:
   replicas: 1
   selector:
@@ -62,6 +65,8 @@ spec:
     metadata:
       labels:
         app: keycloak
+        app.kubernetes.io/instance: keycloak
+        app.kubernetes.io/name: keycloak
     spec:
       initContainers:
       - name: init-postgres
@@ -71,37 +76,47 @@ spec:
       serviceAccountName: keycloak
       containers:
       - name: keycloak
-        image: quay.io/keycloak/keycloak:16.1.1
+        image: quay.io/keycloak/keycloak:latest
         imagePullPolicy: IfNotPresent
+        args: [
+                'start',
+                '--https-key-store-file=/etc/x509/https/keystore.jks',
+                '--https-key-store-password=$(KC_KEYSTORE_PASSWORD)',
+                '--https-key-store-type=JKS',
+                '--https-trust-store-file=/etc/x509/https/truststore.jks',
+                '--https-trust-store-password=$(KC_KEYSTORE_PASSWORD)',
+                '--https-trust-store-type=JKS',
+                '--https-client-auth=request',
+                '--http-enabled=true'
+              ]
         env:
-        - name: KEYCLOAK_USER
-          value: "admin"
-        - name: KEYCLOAK_PASSWORD
-          value: "admin"
-        - name: KEYCLOAK_HTTPS_PORT
-          value: "8443"
-        - name: PROXY_ADDRESS_FORWARDING
+        - name : KEYCLOAK_ADMIN
+          value: admin
+        - name : KEYCLOAK_ADMIN_PASSWORD
+          value: admin
+        - name : KC_DB
+          value: postgres
+        - name : KC_DB_URL
+          value: "jdbc:postgresql://postgres:5432/keycloak"
+        - name : KC_DB_USERNAME
+          value: keycloak
+        - name : KC_DB_PASSWORD
+          value: keycloak
+        - name : KC_HOSTNAME
+          value: keycloak
+        - name:  KC_DB_URL_DATABASE
+          value: keycloak
+        - name : MY_PROVIDER_JAR_URL
+          value: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
+        - name: KC_HEALTH_ENABLED
+          value: "true"
+        - name: KC_METRICS_ENABLED
           value: "true"
-        - name: MANAGEMENT_USER
-          value: "wildfly-admin"
-        - name: MANAGEMENT_PASSWORD
-          value: "secret"
-        - name: INGRESS_ENABLED
-          value: "false"
-        - name: DB_VENDOR
-          value: "postgres"
-        - name: DB_ADDR
-          value: "postgres"
-        - name: DB_PORT
-          value: "5432"
-        - name: DB_DATABASE
-          value: "keycloak"
-        - name: DB_USER
-          value: "keycloak"
-        - name : DB_PASSWORD
-          value: "keycloak"
-        - name : X509_CA_BUNDLE
-          value: /etc/x509/https/rootCA.crt
+        - name: KC_KEYSTORE_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: cm-keycloak-jwk-pw
+              key: password
         ports:
         - name: http
           containerPort: 8080
@@ -109,22 +124,28 @@ spec:
           containerPort: 8443
         readinessProbe:
           httpGet:
-            path: /auth/realms/master
-            port: 8080
+            scheme: HTTPS
+            path: /health/ready
+            port: 8443
         volumeMounts:
         - name: keycloak-certs
           mountPath: /etc/x509/https
+          readOnly: true
+        - name: authz-js-policies
+          mountPath: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
       volumes:
       - name: keycloak-certs
+        secret:
+          secretName: cm-keycloak-server-certs
+      - name: authz-js-policies
         hostPath:
-           path: /var/keycloak/certs
-           type: Directory
+           path: /var/keycloak/deployments/authz-js-policies.jar
+           type: File
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
   name: kcgateway
-  namespace: default
 spec:
   selector:
     istio: ingressgateway # use istio default ingress gateway
@@ -136,7 +157,7 @@ spec:
     tls:
       mode: PASSTHROUGH
     hosts:
-    - keycloak.oran.org
+    - keycloak.est.tech
   - port:
       number: 80
       name: http
@@ -148,17 +169,16 @@ apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
   name: keycloak-tls-vs
-  namespace: default
 spec:
   hosts:
-  - keycloak.oran.org
+  - keycloak.est.tech
   gateways:
   - kcgateway
   tls:
   - match:
     - port: 443
       sniHosts:
-      - keycloak.oran.org
+      - keycloak.est.tech
     route:
     - destination:
         host: keycloak.default.svc.cluster.local
@@ -169,7 +189,6 @@ apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
   name: keycloak-vs
-  namespace: default
 spec:
   hosts:
   - "*"
@@ -179,7 +198,7 @@ spec:
   - name: "keycloak-routes"
     match:
     - uri:
-        prefix: "/auth"
+        prefix: "/realms"
     route:
     - destination:
         port: