apiVersion: v1 kind: ServiceAccount metadata: name: keycloak namespace: default --- apiVersion: v1 kind: Service metadata: name: keycloak labels: app: keycloak spec: type: ExternalName externalName: keycloak.local ports: - name: http port: 8080 targetPort: 8080 nodePort: 31560 - name: https port: 8443 targetPort: 8443 nodePort: 31561 selector: app: keycloak type: LoadBalancer --- apiVersion: apps/v1 kind: Deployment metadata: name: keycloak namespace: default labels: app: keycloak spec: replicas: 1 selector: matchLabels: app: keycloak template: metadata: labels: app: keycloak spec: initContainers: - name: init-postgres image: busybox imagePullPolicy: IfNotPresent command: ['sh', '-c', 'until nc -vz postgres 5432; do echo waiting for postgres db; sleep 2; done;'] serviceAccountName: keycloak containers: - name: keycloak image: quay.io/keycloak/keycloak:latest imagePullPolicy: IfNotPresent env: - name: KEYCLOAK_USER value: "admin" - name: KEYCLOAK_PASSWORD value: "admin" - name: KEYCLOAK_HTTPS_PORT value: "8443" - name: PROXY_ADDRESS_FORWARDING value: "true" - name: MANAGEMENT_USER value: "wildfly-admin" - name: MANAGEMENT_PASSWORD value: "secret" - name: INGRESS_ENABLED value: "false" - name: DB_VENDOR value: "postgres" - name: DB_ADDR value: "postgres" - name: DB_PORT value: "5432" - name: DB_DATABASE value: "keycloak" - name: DB_USER value: "keycloak" - name : DB_PASSWORD value: "keycloak" - name : X509_CA_BUNDLE value: /etc/x509/https/rootCA.crt ports: - name: http containerPort: 8080 - name: https containerPort: 8443 readinessProbe: httpGet: path: /auth/realms/master port: 8080 volumeMounts: - name: keycloak-certs mountPath: /etc/x509/https - name: authz-js-policies mountPath: /opt/jboss/keycloak/standalone/deployments/authz-js-policies.jar volumes: - name: keycloak-certs hostPath: path: /var/keycloak/certs type: Directory - name: authz-js-policies hostPath: path: /var/keycloak/deployments/authz-js-policies.jar type: File --- apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: kcgateway spec: selector: istio: ingressgateway # use istio default ingress gateway servers: - port: number: 443 name: https protocol: HTTPS tls: mode: PASSTHROUGH hosts: - keycloak.est.tech - port: number: 80 name: http protocol: HTTP hosts: - "*" --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: keycloak-tls-vs spec: hosts: - keycloak.est.tech gateways: - kcgateway tls: - match: - port: 443 sniHosts: - keycloak.est.tech route: - destination: host: keycloak.default.svc.cluster.local port: number: 8443 --- apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: keycloak-vs spec: hosts: - "*" gateways: - kcgateway http: - name: "keycloak-routes" match: - uri: prefix: "/auth" route: - destination: port: number: 8080 host: keycloak.default.svc.cluster.local ---