service-exposure/keycloak.yaml - oransc/nonrtric - Gitiles

 #
 # ============LICENSE_START=======================================================
 #  Copyright (C) 2022-23 Nordix Foundation.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 # SPDX-License-Identifier: Apache-2.0
 # ============LICENSE_END=========================================================
 #
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: keycloak
   namespace: default
 ---
 apiVersion: v1
 kind: Service
 metadata:
   name: keycloak
   labels:
     app: keycloak
     app.kubernetes.io/instance: keycloak
     app.kubernetes.io/name: keycloak
 spec:
   type: ExternalName
   externalName: keycloak.local
   ports:
   - name: http
     port: 8080
     targetPort: 8080
     nodePort: 31560
   - name: https
     port: 8443
     targetPort: 8443
     nodePort: 31561
   selector:
     app: keycloak
   type: LoadBalancer
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: keycloak
   namespace: default
   labels:
     app: keycloak
     app.kubernetes.io/instance: keycloak
     app.kubernetes.io/name: keycloak
 spec:
   replicas: 1
   selector:
     matchLabels:
       app: keycloak
   template:
     metadata:
       labels:
         app: keycloak
         app.kubernetes.io/instance: keycloak
         app.kubernetes.io/name: keycloak
     spec:
       initContainers:
       - name: init-postgres
         image: busybox
         imagePullPolicy: IfNotPresent
         command: ['sh', '-c', 'until nc -vz postgres 5432; do echo waiting for postgres db; sleep 2; done;']
       serviceAccountName: keycloak
       containers:
       - name: keycloak
         image: quay.io/keycloak/keycloak:latest
         imagePullPolicy: IfNotPresent
         args: [
                 'start',
                 '--https-key-store-file=/etc/x509/https/keystore.jks',
                 '--https-key-store-password=$(KC_KEYSTORE_PASSWORD)',
                 '--https-key-store-type=JKS',
                 '--https-trust-store-file=/etc/x509/https/truststore.jks',
                 '--https-trust-store-password=$(KC_KEYSTORE_PASSWORD)',
                 '--https-trust-store-type=JKS',
                 '--https-client-auth=request',
                 '--http-enabled=true'
               ]
         env:
         - name : KEYCLOAK_ADMIN
           value: admin
         - name : KEYCLOAK_ADMIN_PASSWORD
           value: admin
         - name : KC_DB
           value: postgres
         - name : KC_DB_URL
           value: "jdbc:postgresql://postgres:5432/keycloak"
         - name : KC_DB_USERNAME
           value: keycloak
         - name : KC_DB_PASSWORD
           value: keycloak
         - name : KC_HOSTNAME
           value: keycloak
         - name:  KC_DB_URL_DATABASE
           value: keycloak
         - name : MY_PROVIDER_JAR_URL
           value: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
         - name: KC_HEALTH_ENABLED
           value: "true"
         - name: KC_METRICS_ENABLED
           value: "true"
         - name: KC_KEYSTORE_PASSWORD
           valueFrom:
             secretKeyRef:
               name: cm-keycloak-jwk-pw
               key: password
         ports:
         - name: http
           containerPort: 8080
         - name: https
           containerPort: 8443
         readinessProbe:
           httpGet:
             scheme: HTTPS
             path: /health/ready
             port: 8443
         volumeMounts:
         - name: keycloak-certs
           mountPath: /etc/x509/https
           readOnly: true
         - name: authz-js-policies
           mountPath: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
       volumes:
       - name: keycloak-certs
         secret:
           secretName: cm-keycloak-server-certs
       - name: authz-js-policies
         hostPath:
            path: /var/keycloak/deployments/authz-js-policies.jar
            type: File
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
   name: kcgateway
 spec:
   selector:
     istio: ingressgateway # use istio default ingress gateway
   servers:
   - port:
       number: 443
       name: https
       protocol: HTTPS
     tls:
       mode: PASSTHROUGH
     hosts:
     - keycloak.est.tech
   - port:
       number: 80
       name: http
       protocol: HTTP
     hosts:
     - "*"
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
   name: keycloak-tls-vs
 spec:
   hosts:
   - keycloak.est.tech
   gateways:
   - kcgateway
   tls:
   - match:
     - port: 443
       sniHosts:
       - keycloak.est.tech
     route:
     - destination:
         host: keycloak.default.svc.cluster.local
         port:
           number: 8443
 ---
 apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
   name: keycloak-vs
 spec:
   hosts:
   - "*"
   gateways:
   - kcgateway
   http:
   - name: "keycloak-routes"
     match:
     - uri:
         prefix: "/realms"
     route:
     - destination:
         port:
           number: 8080
         host: keycloak.default.svc.cluster.local
 ---
	#
	# ============LICENSE_START=======================================================
	# Copyright (C) 2022-23 Nordix Foundation.
	# ================================================================================
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	#
	# SPDX-License-Identifier: Apache-2.0
	# ============LICENSE_END=========================================================
	#
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: keycloak
	namespace: default
	---
	apiVersion: v1
	kind: Service
	metadata:
	name: keycloak
	labels:
	app: keycloak
	app.kubernetes.io/instance: keycloak
	app.kubernetes.io/name: keycloak
	spec:
	type: ExternalName
	externalName: keycloak.local
	ports:
	- name: http
	port: 8080
	targetPort: 8080
	nodePort: 31560
	- name: https
	port: 8443
	targetPort: 8443
	nodePort: 31561
	selector:
	app: keycloak
	type: LoadBalancer
	---
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: keycloak
	namespace: default
	labels:
	app: keycloak
	app.kubernetes.io/instance: keycloak
	app.kubernetes.io/name: keycloak
	spec:
	replicas: 1
	selector:
	matchLabels:
	app: keycloak
	template:
	metadata:
	labels:
	app: keycloak
	app.kubernetes.io/instance: keycloak
	app.kubernetes.io/name: keycloak
	spec:
	initContainers:
	- name: init-postgres
	image: busybox
	imagePullPolicy: IfNotPresent
	command: ['sh', '-c', 'until nc -vz postgres 5432; do echo waiting for postgres db; sleep 2; done;']
	serviceAccountName: keycloak
	containers:
	- name: keycloak
	image: quay.io/keycloak/keycloak:latest
	imagePullPolicy: IfNotPresent
	args: [
	'start',
	'--https-key-store-file=/etc/x509/https/keystore.jks',
	'--https-key-store-password=$(KC_KEYSTORE_PASSWORD)',
	'--https-key-store-type=JKS',
	'--https-trust-store-file=/etc/x509/https/truststore.jks',
	'--https-trust-store-password=$(KC_KEYSTORE_PASSWORD)',
	'--https-trust-store-type=JKS',
	'--https-client-auth=request',
	'--http-enabled=true'
	]
	env:
	- name : KEYCLOAK_ADMIN
	value: admin
	- name : KEYCLOAK_ADMIN_PASSWORD
	value: admin
	- name : KC_DB
	value: postgres
	- name : KC_DB_URL
	value: "jdbc:postgresql://postgres:5432/keycloak"
	- name : KC_DB_USERNAME
	value: keycloak
	- name : KC_DB_PASSWORD
	value: keycloak
	- name : KC_HOSTNAME
	value: keycloak
	- name: KC_DB_URL_DATABASE
	value: keycloak
	- name : MY_PROVIDER_JAR_URL
	value: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
	- name: KC_HEALTH_ENABLED
	value: "true"
	- name: KC_METRICS_ENABLED
	value: "true"
	- name: KC_KEYSTORE_PASSWORD
	valueFrom:
	secretKeyRef:
	name: cm-keycloak-jwk-pw
	key: password
	ports:
	- name: http
	containerPort: 8080
	- name: https
	containerPort: 8443
	readinessProbe:
	httpGet:
	scheme: HTTPS
	path: /health/ready
	port: 8443
	volumeMounts:
	- name: keycloak-certs
	mountPath: /etc/x509/https
	readOnly: true
	- name: authz-js-policies
	mountPath: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar
	volumes:
	- name: keycloak-certs
	secret:
	secretName: cm-keycloak-server-certs
	- name: authz-js-policies
	hostPath:
	path: /var/keycloak/deployments/authz-js-policies.jar
	type: File
	---
	apiVersion: networking.istio.io/v1alpha3
	kind: Gateway
	metadata:
	name: kcgateway
	spec:
	selector:
	istio: ingressgateway # use istio default ingress gateway
	servers:
	- port:
	number: 443
	name: https
	protocol: HTTPS
	tls:
	mode: PASSTHROUGH
	hosts:
	- keycloak.est.tech
	- port:
	number: 80
	name: http
	protocol: HTTP
	hosts:
	- "*"
	---
	apiVersion: networking.istio.io/v1alpha3
	kind: VirtualService
	metadata:
	name: keycloak-tls-vs
	spec:
	hosts:
	- keycloak.est.tech
	gateways:
	- kcgateway
	tls:
	- match:
	- port: 443
	sniHosts:
	- keycloak.est.tech
	route:
	- destination:
	host: keycloak.default.svc.cluster.local
	port:
	number: 8443
	---
	apiVersion: networking.istio.io/v1beta1
	kind: VirtualService
	metadata:
	name: keycloak-vs
	spec:
	hosts:
	- "*"
	gateways:
	- kcgateway
	http:
	- name: "keycloak-routes"
	match:
	- uri:
	prefix: "/realms"
	route:
	- destination:
	port:
	number: 8080
	host: keycloak.default.svc.cluster.local
	---