# services/keycloak/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: keycloak namespace: sso labels: app: keycloak spec: replicas: 1 selector: matchLabels: app: keycloak template: metadata: labels: app: keycloak spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: hardware operator: In values: ["rpi5","rpi4"] - key: node-role.kubernetes.io/worker operator: Exists - matchExpressions: - key: kubernetes.io/hostname operator: In values: ["titan-24"] preferredDuringSchedulingIgnoredDuringExecution: - weight: 90 preference: matchExpressions: - key: hardware operator: In values: ["rpi5"] - weight: 70 preference: matchExpressions: - key: hardware operator: In values: ["rpi4"] securityContext: runAsUser: 1000 runAsGroup: 0 fsGroup: 1000 fsGroupChangePolicy: OnRootMismatch imagePullSecrets: - name: zot-regcred initContainers: - name: mailu-http-listener image: cli.registry.bstein.dev/sso/mailu-http-listener:0.1.0 imagePullPolicy: IfNotPresent command: ["/bin/sh", "-c"] args: - | cp /plugin/mailu-http-listener-0.1.0.jar /providers/ cp -r /plugin/src /providers/src volumeMounts: - name: providers mountPath: /providers containers: - name: keycloak image: quay.io/keycloak/keycloak:26.0.7 imagePullPolicy: IfNotPresent args: - start env: - name: KC_DB value: postgres - name: KC_DB_URL_HOST value: postgres-service.postgres.svc.cluster.local - name: KC_DB_URL_DATABASE valueFrom: secretKeyRef: name: keycloak-db key: database - name: KC_DB_USERNAME valueFrom: secretKeyRef: name: keycloak-db key: username - name: KC_DB_PASSWORD valueFrom: secretKeyRef: name: keycloak-db key: password - name: KC_DB_SCHEMA value: public - name: KC_HOSTNAME value: sso.bstein.dev - name: KC_HOSTNAME_URL value: https://sso.bstein.dev - name: KC_PROXY value: edge - name: KC_PROXY_HEADERS value: xforwarded - name: KC_HTTP_ENABLED value: "true" - name: KC_HTTP_MANAGEMENT_PORT value: "9000" - name: KC_HTTP_MANAGEMENT_BIND_ADDRESS value: 0.0.0.0 - name: KC_HEALTH_ENABLED value: "true" - name: KC_METRICS_ENABLED value: "true" - name: KEYCLOAK_ADMIN valueFrom: secretKeyRef: name: keycloak-admin key: username - name: KEYCLOAK_ADMIN_PASSWORD valueFrom: secretKeyRef: name: keycloak-admin key: password - name: KC_EVENTS_LISTENERS value: jboss-logging,mailu-http - name: KC_SPI_EVENTS_LISTENER_MAILU-HTTP_ENDPOINT value: http://mailu-sync-listener.mailu-mailserver.svc.cluster.local:8080/events ports: - containerPort: 8080 name: http - containerPort: 9000 name: metrics readinessProbe: httpGet: path: /health/ready port: 9000 initialDelaySeconds: 15 periodSeconds: 10 failureThreshold: 6 livenessProbe: httpGet: path: /health/live port: 9000 initialDelaySeconds: 60 periodSeconds: 15 failureThreshold: 6 volumeMounts: - name: data mountPath: /opt/keycloak/data - name: providers mountPath: /opt/keycloak/providers volumes: - name: data persistentVolumeClaim: claimName: keycloak-data - name: providers emptyDir: {}