185 lines
6.7 KiB
YAML
185 lines
6.7 KiB
YAML
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
labels:
|
|
app: keycloak
|
|
name: keycloak
|
|
namespace: keycloak
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: keycloak
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: keycloak
|
|
spec:
|
|
containers:
|
|
- args:
|
|
- start
|
|
- --cache=ispn
|
|
- --features=scripts,admin-fine-grained-authz,token-exchange
|
|
- --import-realm
|
|
env:
|
|
- name: KC_HOSTNAME
|
|
value: https://kc.not-a-domain
|
|
- name: KC_DB
|
|
value: postgres
|
|
- name: KC_DB_URL_HOST
|
|
value: keycloak-cnpg-rw.keycloak.svc.cluster.local
|
|
- name: KC_DB_URL_PORT
|
|
value: "5432"
|
|
- name: KC_DB_URL_DATABASE
|
|
value: keycloak
|
|
- name: KC_DB_SCHEMA
|
|
value: public
|
|
- name: KC_DB_USERNAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: username
|
|
name: keycloak-cnpg-user
|
|
- name: KC_DB_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: password
|
|
name: keycloak-cnpg-user
|
|
- name: KC_BOOTSTRAP_ADMIN_USERNAME
|
|
value: silogen-admin
|
|
- name: KC_BOOTSTRAP_ADMIN_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: KEYCLOAK_INITIAL_ADMIN_PASSWORD
|
|
name: keycloak-credentials
|
|
- name: KC_PROXY
|
|
value: edge
|
|
- name: KC_HOSTNAME_STRICT
|
|
value: "false"
|
|
- name: KC_PROXY_HEADERS
|
|
value: xforwarded
|
|
image: quay.io/keycloak/keycloak:26.0.0
|
|
name: keycloak
|
|
ports:
|
|
- containerPort: 8080
|
|
name: http
|
|
- containerPort: 8443
|
|
name: https
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /realms/master
|
|
port: 8080
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 1Gi
|
|
requests:
|
|
cpu: 250m
|
|
memory: 512Mi
|
|
volumeMounts:
|
|
- mountPath: /opt/keycloak/providers
|
|
name: keycloak-package-volume
|
|
- mountPath: /opt/keycloak/data/import
|
|
name: keycloak-realm-volume
|
|
initContainers:
|
|
- command:
|
|
- /bin/sh
|
|
- -c
|
|
- |
|
|
cd /opt/scripts
|
|
zip -r /opt/keycloak/providers/SilogenExtensionPackage.jar .
|
|
image: ghcr.io/silogen/keycloak-init:0.1
|
|
name: init-auth-extensions
|
|
volumeMounts:
|
|
- mountPath: /opt/keycloak/providers
|
|
name: keycloak-package-volume
|
|
- mountPath: /opt/scripts
|
|
name: keycloak-script-volume
|
|
- command:
|
|
- /bin/sh
|
|
- -c
|
|
- |
|
|
if [ -f "/opt/realm_templates/k8s/k8s-realm.json" ]; then
|
|
cp /opt/realm_templates/k8s/k8s-realm.json /opt/realms/k8s-realm.json
|
|
sed -i -e "s/__K8S_GITEA_CLIENT_SECRET__/$K8S_GITEA_CLIENT_SECRET/g" /opt/realms/k8s-realm.json
|
|
else
|
|
echo "Warning: /opt/realm_templates/k8s/k8s-realm.json not found, skipping k8s realm setup"
|
|
fi
|
|
|
|
if [ -f "/opt/realm_templates/airm/airm-realm.json" ]; then
|
|
cp /opt/realm_templates/airm/airm-realm.json /opt/realms/airm-realm.json
|
|
sed -i -e "s/__MINIO_KEYCLOAK_CLIENT_SECRET__/$MINIO_KEYCLOAK_CLIENT_SECRET/g" /opt/realms/airm-realm.json
|
|
sed -i -e "s/__AIRM_FRONTEND_CLIENT_SECRET__/$AIRM_FRONTEND_CLIENT_SECRET/g" /opt/realms/airm-realm.json
|
|
sed -i -e "s/__AIRM_ADMIN_CLIENT_ID__/$AIRM_ADMIN_CLIENT_ID/g" /opt/realms/airm-realm.json
|
|
sed -i -e "s/__AIRM_ADMIN_CLIENT_SECRET__/$AIRM_ADMIN_CLIENT_SECRET/g" /opt/realms/airm-realm.json
|
|
sed -i -e "s/__AIRM_CI_CLIENT_SECRET__/$AIRM_CI_CLIENT_SECRET/g" /opt/realms/airm-realm.json
|
|
sed -i -e "s/__K8S_CLIENT_SECRET__/$K8S_CLIENT_SECRET/g" /opt/realms/airm-realm.json
|
|
else
|
|
echo "Warning: /opt/realm_templates/airm/airm-realm.json not found, skipping airm realm setup"
|
|
fi
|
|
env:
|
|
- name: MINIO_KEYCLOAK_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: MINIO_KEYCLOAK_CLIENT_SECRET
|
|
name: minio-keycloak-client-secret
|
|
- name: K8S_GITEA_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: GITEA_CLIENT_SECRET
|
|
name: k8s-realm-credentials
|
|
- name: AIRM_FRONTEND_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: FRONTEND_CLIENT_SECRET
|
|
name: airm-realm-credentials
|
|
- name: AIRM_ADMIN_CLIENT_ID
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: ADMIN_CLIENT_ID
|
|
name: airm-realm-credentials
|
|
- name: AIRM_ADMIN_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: ADMIN_CLIENT_SECRET
|
|
name: airm-realm-credentials
|
|
- name: AIRM_CI_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: CI_CLIENT_SECRET
|
|
name: airm-realm-credentials
|
|
- name: K8S_CLIENT_SECRET
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: K8S_CLIENT_SECRET
|
|
name: airm-realm-credentials
|
|
image: ghcr.io/silogen/keycloak-init:0.1
|
|
name: init-realm-scripts
|
|
volumeMounts:
|
|
- mountPath: /opt/realm_templates/airm
|
|
name: keycloak-airm-realm-template-volume
|
|
- mountPath: /opt/realm_templates/k8s
|
|
name: keycloak-k8s-realm-template-volume
|
|
- mountPath: /opt/realms
|
|
name: keycloak-realm-volume
|
|
restartPolicy: Always
|
|
volumes:
|
|
- configMap:
|
|
items:
|
|
- key: keycloak-scripts.json
|
|
path: META-INF/keycloak-scripts.json
|
|
- key: domain-group-authenticator.js
|
|
path: domain-group-authenticator.js
|
|
name: keycloak-scripts-5h96f8448g
|
|
name: keycloak-script-volume
|
|
- emptyDir: {}
|
|
name: keycloak-package-volume
|
|
- configMap:
|
|
name: keycloak-realm-templates-7kgh2hc6b2
|
|
name: keycloak-airm-realm-template-volume
|
|
- emptyDir: {}
|
|
name: keycloak-realm-volume
|
|
- configMap:
|
|
name: keycloak-realm-templates-k8s
|
|
name: keycloak-k8s-realm-template-volume
|