2025-12-02 17:46:52 -03:00
|
|
|
# services/keycloak/deployment.yaml
|
|
|
|
|
apiVersion: apps/v1
|
|
|
|
|
kind: Deployment
|
|
|
|
|
metadata:
|
|
|
|
|
name: keycloak
|
|
|
|
|
namespace: sso
|
|
|
|
|
labels:
|
|
|
|
|
app: keycloak
|
|
|
|
|
spec:
|
|
|
|
|
replicas: 1
|
2026-01-02 17:02:59 -03:00
|
|
|
strategy:
|
2026-01-02 17:15:37 -03:00
|
|
|
type: RollingUpdate
|
|
|
|
|
rollingUpdate:
|
|
|
|
|
maxSurge: 0
|
|
|
|
|
maxUnavailable: 1
|
2025-12-02 17:46:52 -03:00
|
|
|
selector:
|
|
|
|
|
matchLabels:
|
|
|
|
|
app: keycloak
|
|
|
|
|
template:
|
|
|
|
|
metadata:
|
|
|
|
|
labels:
|
|
|
|
|
app: keycloak
|
2026-01-14 13:20:57 -03:00
|
|
|
annotations:
|
|
|
|
|
vault.hashicorp.com/agent-inject: "true"
|
|
|
|
|
vault.hashicorp.com/role: "sso"
|
|
|
|
|
vault.hashicorp.com/agent-inject-secret-keycloak-env.sh: "kv/data/atlas/shared/keycloak-admin"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-keycloak-env.sh: |
|
2026-01-14 13:40:29 -03:00
|
|
|
{{ with secret "kv/data/atlas/shared/keycloak-admin" }}
|
2026-01-14 13:20:57 -03:00
|
|
|
export KEYCLOAK_ADMIN="{{ .Data.data.username }}"
|
|
|
|
|
export KEYCLOAK_ADMIN_USER="{{ .Data.data.username }}"
|
|
|
|
|
export KEYCLOAK_ADMIN_PASSWORD="{{ .Data.data.password }}"
|
2026-01-14 13:40:29 -03:00
|
|
|
{{ end }}
|
|
|
|
|
{{ with secret "kv/data/atlas/sso/keycloak-db" }}
|
2026-01-14 13:20:57 -03:00
|
|
|
export KC_DB_URL_DATABASE="{{ .Data.data.POSTGRES_DATABASE }}"
|
|
|
|
|
export KC_DB_USERNAME="{{ .Data.data.POSTGRES_USER }}"
|
|
|
|
|
export KC_DB_PASSWORD="{{ .Data.data.POSTGRES_PASSWORD }}"
|
2026-01-14 13:40:29 -03:00
|
|
|
{{ end }}
|
|
|
|
|
{{ with secret "kv/data/atlas/shared/portal-e2e-client" }}
|
2026-01-14 13:20:57 -03:00
|
|
|
export PORTAL_E2E_CLIENT_ID="{{ .Data.data.client_id }}"
|
|
|
|
|
export PORTAL_E2E_CLIENT_SECRET="{{ .Data.data.client_secret }}"
|
2026-01-14 13:40:29 -03:00
|
|
|
{{ end }}
|
|
|
|
|
{{ with secret "kv/data/atlas/sso/openldap-admin" }}
|
2026-01-14 13:20:57 -03:00
|
|
|
export LDAP_ADMIN_PASSWORD="{{ .Data.data.LDAP_ADMIN_PASSWORD }}"
|
|
|
|
|
export LDAP_CONFIG_PASSWORD="{{ .Data.data.LDAP_CONFIG_PASSWORD }}"
|
|
|
|
|
export LDAP_BIND_PASSWORD="${LDAP_ADMIN_PASSWORD}"
|
2026-01-14 13:40:29 -03:00
|
|
|
{{ end }}
|
|
|
|
|
{{ with secret "kv/data/atlas/shared/postmark-relay" }}
|
2026-01-18 09:21:33 -03:00
|
|
|
export KEYCLOAK_SMTP_USER="{{ index .Data.data "apikey" }}"
|
|
|
|
|
export KEYCLOAK_SMTP_PASSWORD="{{ index .Data.data "apikey" }}"
|
2026-01-14 13:40:29 -03:00
|
|
|
{{ end }}
|
2025-12-02 17:46:52 -03:00
|
|
|
spec:
|
2026-01-14 02:54:59 -03:00
|
|
|
serviceAccountName: sso-vault
|
2026-01-14 13:40:29 -03:00
|
|
|
nodeSelector:
|
2026-01-14 13:49:37 -03:00
|
|
|
kubernetes.io/arch: arm64
|
|
|
|
|
node-role.kubernetes.io/worker: "true"
|
2025-12-06 01:36:33 -03:00
|
|
|
affinity:
|
|
|
|
|
nodeAffinity:
|
|
|
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
2026-01-14 13:40:29 -03:00
|
|
|
- weight: 100
|
2025-12-06 01:36:33 -03:00
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
2026-01-14 13:49:37 -03:00
|
|
|
- key: hardware
|
2025-12-06 01:36:33 -03:00
|
|
|
operator: In
|
2026-01-14 13:49:37 -03:00
|
|
|
values: ["rpi5"]
|
|
|
|
|
- weight: 70
|
|
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
|
|
|
|
- key: hardware
|
|
|
|
|
operator: In
|
|
|
|
|
values: ["rpi4"]
|
2025-12-06 00:49:17 -03:00
|
|
|
securityContext:
|
|
|
|
|
runAsUser: 1000
|
|
|
|
|
runAsGroup: 0
|
|
|
|
|
fsGroup: 1000
|
|
|
|
|
fsGroupChangePolicy: OnRootMismatch
|
2025-12-14 14:21:40 -03:00
|
|
|
initContainers:
|
|
|
|
|
- name: mailu-http-listener
|
2025-12-16 00:08:11 -03:00
|
|
|
image: registry.bstein.dev/sso/mailu-http-listener:0.1.0
|
2025-12-14 14:21:40 -03:00
|
|
|
imagePullPolicy: IfNotPresent
|
|
|
|
|
command: ["/bin/sh", "-c"]
|
|
|
|
|
args:
|
|
|
|
|
- |
|
|
|
|
|
cp /plugin/mailu-http-listener-0.1.0.jar /providers/
|
|
|
|
|
cp -r /plugin/src /providers/src
|
|
|
|
|
volumeMounts:
|
|
|
|
|
- name: providers
|
|
|
|
|
mountPath: /providers
|
2025-12-02 17:46:52 -03:00
|
|
|
containers:
|
|
|
|
|
- name: keycloak
|
|
|
|
|
image: quay.io/keycloak/keycloak:26.0.7
|
|
|
|
|
imagePullPolicy: IfNotPresent
|
2026-01-14 02:54:59 -03:00
|
|
|
command: ["/bin/sh", "-c"]
|
2025-12-02 17:46:52 -03:00
|
|
|
args:
|
2026-01-14 02:54:59 -03:00
|
|
|
- >-
|
2026-01-14 13:20:57 -03:00
|
|
|
. /vault/secrets/keycloak-env.sh
|
2026-01-14 02:54:59 -03:00
|
|
|
&& exec /opt/keycloak/bin/kc.sh start
|
2025-12-02 17:46:52 -03:00
|
|
|
env:
|
|
|
|
|
- name: KC_DB
|
|
|
|
|
value: postgres
|
|
|
|
|
- name: KC_DB_URL_HOST
|
|
|
|
|
value: postgres-service.postgres.svc.cluster.local
|
|
|
|
|
- name: KC_DB_SCHEMA
|
|
|
|
|
value: public
|
|
|
|
|
- name: KC_HOSTNAME
|
|
|
|
|
value: sso.bstein.dev
|
2025-12-06 01:23:07 -03:00
|
|
|
- name: KC_HOSTNAME_URL
|
|
|
|
|
value: https://sso.bstein.dev
|
2025-12-02 17:46:52 -03:00
|
|
|
- name: KC_PROXY
|
|
|
|
|
value: edge
|
2025-12-06 01:23:07 -03:00
|
|
|
- name: KC_PROXY_HEADERS
|
|
|
|
|
value: xforwarded
|
2025-12-02 17:46:52 -03:00
|
|
|
- name: KC_HTTP_ENABLED
|
|
|
|
|
value: "true"
|
2026-01-03 14:29:28 -03:00
|
|
|
- name: KC_FEATURES
|
2026-01-03 15:43:07 -03:00
|
|
|
value: token-exchange,admin-fine-grained-authz
|
2025-12-06 00:51:47 -03:00
|
|
|
- name: KC_HTTP_MANAGEMENT_PORT
|
|
|
|
|
value: "9000"
|
|
|
|
|
- name: KC_HTTP_MANAGEMENT_BIND_ADDRESS
|
|
|
|
|
value: 0.0.0.0
|
2026-01-02 16:57:42 -03:00
|
|
|
- name: KC_LOG_LEVEL
|
|
|
|
|
value: DEBUG
|
2025-12-06 00:51:47 -03:00
|
|
|
- name: KC_HEALTH_ENABLED
|
|
|
|
|
value: "true"
|
|
|
|
|
- name: KC_METRICS_ENABLED
|
|
|
|
|
value: "true"
|
2025-12-14 14:21:40 -03:00
|
|
|
- name: KC_EVENTS_LISTENERS
|
|
|
|
|
value: jboss-logging,mailu-http
|
|
|
|
|
- name: KC_SPI_EVENTS_LISTENER_MAILU-HTTP_ENDPOINT
|
|
|
|
|
value: http://mailu-sync-listener.mailu-mailserver.svc.cluster.local:8080/events
|
2025-12-02 17:46:52 -03:00
|
|
|
ports:
|
|
|
|
|
- containerPort: 8080
|
|
|
|
|
name: http
|
|
|
|
|
- containerPort: 9000
|
|
|
|
|
name: metrics
|
|
|
|
|
readinessProbe:
|
|
|
|
|
httpGet:
|
|
|
|
|
path: /health/ready
|
|
|
|
|
port: 9000
|
|
|
|
|
initialDelaySeconds: 15
|
|
|
|
|
periodSeconds: 10
|
|
|
|
|
failureThreshold: 6
|
|
|
|
|
livenessProbe:
|
|
|
|
|
httpGet:
|
|
|
|
|
path: /health/live
|
|
|
|
|
port: 9000
|
|
|
|
|
initialDelaySeconds: 60
|
|
|
|
|
periodSeconds: 15
|
|
|
|
|
failureThreshold: 6
|
|
|
|
|
volumeMounts:
|
|
|
|
|
- name: data
|
|
|
|
|
mountPath: /opt/keycloak/data
|
2025-12-14 14:21:40 -03:00
|
|
|
- name: providers
|
|
|
|
|
mountPath: /opt/keycloak/providers
|
2025-12-02 17:46:52 -03:00
|
|
|
volumes:
|
|
|
|
|
- name: data
|
|
|
|
|
persistentVolumeClaim:
|
|
|
|
|
claimName: keycloak-data
|
2025-12-14 14:21:40 -03:00
|
|
|
- name: providers
|
|
|
|
|
emptyDir: {}
|
