--- apiVersion: apps/v1 kind: Deployment metadata: labels: app: keycloak name: keycloak namespace: keycloak spec: replicas: 1 selector: matchLabels: app: keycloak template: metadata: labels: app: keycloak spec: containers: - args: - start - --cache=ispn - --features=scripts,admin-fine-grained-authz,token-exchange - --import-realm env: - name: KC_HOSTNAME value: https://kc.aiplatform.combient.com - name: KC_DB value: postgres - name: KC_DB_URL_HOST value: keycloak-cnpg-rw.keycloak.svc.cluster.local - name: KC_DB_URL_PORT value: "5432" - name: KC_DB_URL_DATABASE value: keycloak - name: KC_DB_SCHEMA value: public - name: KC_DB_USERNAME valueFrom: secretKeyRef: key: username name: keycloak-cnpg-user - name: KC_DB_PASSWORD valueFrom: secretKeyRef: key: password name: keycloak-cnpg-user - name: KC_BOOTSTRAP_ADMIN_USERNAME value: silogen-admin - name: KC_BOOTSTRAP_ADMIN_PASSWORD valueFrom: secretKeyRef: key: KEYCLOAK_INITIAL_ADMIN_PASSWORD name: keycloak-credentials - name: KC_PROXY value: edge - name: KC_HOSTNAME_STRICT value: "false" - name: KC_PROXY_HEADERS value: xforwarded image: quay.io/keycloak/keycloak:26.0.0 name: keycloak ports: - containerPort: 8080 name: http - containerPort: 8443 name: https readinessProbe: httpGet: path: /realms/master port: 8080 resources: limits: cpu: 500m memory: 1Gi requests: cpu: 250m memory: 512Mi volumeMounts: - mountPath: /opt/keycloak/providers name: keycloak-package-volume - mountPath: /opt/keycloak/data/import name: keycloak-realm-volume initContainers: - command: - /bin/sh - -c - | cd /opt/scripts zip -r /opt/keycloak/providers/SilogenExtensionPackage.jar . image: ghcr.io/silogen/keycloak-init:0.1 name: init-auth-extensions volumeMounts: - mountPath: /opt/keycloak/providers name: keycloak-package-volume - mountPath: /opt/scripts name: keycloak-script-volume - command: - /bin/sh - -c - | if [ -f "/opt/realm_templates/k8s/k8s-realm.json" ]; then cp /opt/realm_templates/k8s/k8s-realm.json /opt/realms/k8s-realm.json sed -i -e "s/__K8S_GITEA_CLIENT_SECRET__/$K8S_GITEA_CLIENT_SECRET/g" /opt/realms/k8s-realm.json else echo "Warning: /opt/realm_templates/k8s/k8s-realm.json not found, skipping k8s realm setup" fi if [ -f "/opt/realm_templates/airm/airm-realm.json" ]; then cp /opt/realm_templates/airm/airm-realm.json /opt/realms/airm-realm.json sed -i -e "s/__MINIO_KEYCLOAK_CLIENT_SECRET__/$MINIO_KEYCLOAK_CLIENT_SECRET/g" /opt/realms/airm-realm.json sed -i -e "s/__AIRM_FRONTEND_CLIENT_SECRET__/$AIRM_FRONTEND_CLIENT_SECRET/g" /opt/realms/airm-realm.json sed -i -e "s/__AIRM_ADMIN_CLIENT_ID__/$AIRM_ADMIN_CLIENT_ID/g" /opt/realms/airm-realm.json sed -i -e "s/__AIRM_ADMIN_CLIENT_SECRET__/$AIRM_ADMIN_CLIENT_SECRET/g" /opt/realms/airm-realm.json sed -i -e "s/__AIRM_CI_CLIENT_SECRET__/$AIRM_CI_CLIENT_SECRET/g" /opt/realms/airm-realm.json sed -i -e "s/__K8S_CLIENT_SECRET__/$K8S_CLIENT_SECRET/g" /opt/realms/airm-realm.json else echo "Warning: /opt/realm_templates/airm/airm-realm.json not found, skipping airm realm setup" fi env: - name: MINIO_KEYCLOAK_CLIENT_SECRET valueFrom: secretKeyRef: key: MINIO_KEYCLOAK_CLIENT_SECRET name: minio-keycloak-client-secret - name: K8S_GITEA_CLIENT_SECRET valueFrom: secretKeyRef: key: GITEA_CLIENT_SECRET name: k8s-realm-credentials - name: AIRM_FRONTEND_CLIENT_SECRET valueFrom: secretKeyRef: key: FRONTEND_CLIENT_SECRET name: airm-realm-credentials - name: AIRM_ADMIN_CLIENT_ID valueFrom: secretKeyRef: key: ADMIN_CLIENT_ID name: airm-realm-credentials - name: AIRM_ADMIN_CLIENT_SECRET valueFrom: secretKeyRef: key: ADMIN_CLIENT_SECRET name: airm-realm-credentials - name: AIRM_CI_CLIENT_SECRET valueFrom: secretKeyRef: key: CI_CLIENT_SECRET name: airm-realm-credentials - name: K8S_CLIENT_SECRET valueFrom: secretKeyRef: key: K8S_CLIENT_SECRET name: airm-realm-credentials image: ghcr.io/silogen/keycloak-init:0.1 name: init-realm-scripts volumeMounts: - mountPath: /opt/realm_templates/airm name: keycloak-airm-realm-template-volume - mountPath: /opt/realm_templates/k8s name: keycloak-k8s-realm-template-volume - mountPath: /opt/realms name: keycloak-realm-volume restartPolicy: Always volumes: - configMap: items: - key: keycloak-scripts.json path: META-INF/keycloak-scripts.json - key: domain-group-authenticator.js path: domain-group-authenticator.js name: keycloak-scripts-5h96f8448g name: keycloak-script-volume - emptyDir: {} name: keycloak-package-volume - configMap: name: keycloak-realm-templates-7kgh2hc6b2 name: keycloak-airm-realm-template-volume - emptyDir: {} name: keycloak-realm-volume - configMap: name: keycloak-realm-templates-k8s name: keycloak-k8s-realm-template-volume