#
# ============LICENSE_START=======================================================
#  Copyright (C) 2022-23 Nordix Foundation.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
# ============LICENSE_END=========================================================
#
apiVersion: v1
kind: ServiceAccount
metadata:
  name: keycloak
  namespace: default
---
apiVersion: v1
kind: Service
metadata:
  name: keycloak
  labels:
    app: keycloak
    app.kubernetes.io/instance: keycloak
    app.kubernetes.io/name: keycloak
spec:
  type: ExternalName
  externalName: keycloak.local
  ports:
  - name: http
    port: 8080
    targetPort: 8080
    nodePort: 31560
  - name: https
    port: 8443
    targetPort: 8443
    nodePort: 31561
  selector:
    app: keycloak
  type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
  namespace: default
  labels:
    app: keycloak
    app.kubernetes.io/instance: keycloak
    app.kubernetes.io/name: keycloak
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      labels:
        app: keycloak
        app.kubernetes.io/instance: keycloak
        app.kubernetes.io/name: keycloak
    spec:
      initContainers:
      - name: init-postgres
        image: busybox
        imagePullPolicy: IfNotPresent
        command: ['sh', '-c', 'until nc -vz postgres 5432; do echo waiting for postgres db; sleep 2; done;']
      serviceAccountName: keycloak
      containers:
      - name: keycloak
        image: quay.io/keycloak/keycloak:latest
        imagePullPolicy: IfNotPresent
        args: [
                'start',
                '--https-key-store-file=/etc/x509/https/keystore.jks',
                '--https-key-store-password=$(KC_KEYSTORE_PASSWORD)',
                '--https-key-store-type=JKS',
                '--https-trust-store-file=/etc/x509/https/truststore.jks',
                '--https-trust-store-password=$(KC_KEYSTORE_PASSWORD)',
                '--https-trust-store-type=JKS',
                '--https-client-auth=request',
                '--http-enabled=true'
              ]
        env:
        - name : KEYCLOAK_ADMIN
          value: admin
        - name : KEYCLOAK_ADMIN_PASSWORD
          value: admin
        - name : KC_DB
          value: postgres
        - name : KC_DB_URL
          value: "jdbc:postgresql://postgres:5432/keycloak"
        - name : KC_DB_USERNAME
          value: keycloak
        - name : KC_DB_PASSWORD
          value: keycloak
        - name : KC_HOSTNAME
          value: keycloak
        - name:  KC_DB_URL_DATABASE
          value: keycloak
        - name : MY_PROVIDER_JAR_URL
          value: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
        - name: KC_HEALTH_ENABLED
          value: "true"
        - name: KC_METRICS_ENABLED
          value: "true"
        - name: KC_KEYSTORE_PASSWORD
          valueFrom:
            secretKeyRef:
              name: cm-keycloak-jwk-pw
              key: password
        ports:
        - name: http
          containerPort: 8080
        - name: https
          containerPort: 8443
        readinessProbe:
          httpGet:
            scheme: HTTPS
            path: /health/ready
            port: 8443
        volumeMounts:
        - name: keycloak-certs
          mountPath: /etc/x509/https
          readOnly: true
        - name: authz-js-policies
          mountPath: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
      volumes:
      - name: keycloak-certs
        secret:
          secretName: cm-keycloak-server-certs
      - name: authz-js-policies
        hostPath:
           path: /var/keycloak/deployments/authz-js-policies.jar
           type: File
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: kcgateway
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: PASSTHROUGH
    hosts:
    - keycloak.est.tech
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: keycloak-tls-vs
spec:
  hosts:
  - keycloak.est.tech
  gateways:
  - kcgateway
  tls:
  - match:
    - port: 443
      sniHosts:
      - keycloak.est.tech
    route:
    - destination:
        host: keycloak.default.svc.cluster.local
        port:
          number: 8443
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: keycloak-vs
spec:
  hosts:
  - "*"
  gateways:
  - kcgateway
  http:
  - name: "keycloak-routes"
    match:
    - uri:
        prefix: "/realms"
    route:
    - destination:
        port:
          number: 8080
        host: keycloak.default.svc.cluster.local
---