K8s cluster - keycloak

Why?

I quickly discovered that having numerous logins for your self hosted services is quite anoying. Keycloak comes to the rescue.

k8s config

keycloak (since I’m using arm64 I can’t use original keycloak image):

apiVersion: apps/v1
kind: Deployment
metadata:
    name: keycloak
    namespace: keycloak
    labels:
        app: keycloak
spec:
    replicas: 1
    selector:
        matchLabels:
            app: keycloak
    template:
        metadata:
            labels:
                app: keycloak
        spec:
            containers:
                - name: keycloak
                  image: registry.gitlab.com/aivero/public/keycloak-docker-arm64:12.0.1
                  imagePullPolicy: IfNotPresent
                  ports:
                      - name: http
                        containerPort: 8080
                        protocol: TCP
                      - name: http-management
                        containerPort: 9990
                        protocol: TCP
                  env:
                      - name: KEYCLOAK_USER
                        value: "admin"
                      - name: KEYCLOAK_PASSWORD
                        value: "REDACTED"
                      - name: PROXY_ADDRESS_FORWARDING
                        value: "true"
                      - name: DB_VENDOR
                        value: "postgres"
                      - name: DB_ADDR
                        value: "postgres"
                      - name: DB_DATABASE
                        value: "keycloak"
                      - name: DB_USER
                        value: "keycloak"
                      - name: DB_PASSWORD
                        value: "REDACTED"
                      - name: JDBC_PARAMS
                        value: "serverTimezone=UTC"
---
apiVersion: v1
kind: Service
metadata:
    name: keycloak
    namespace: keycloak
    labels:
        app: keycloak
spec:
    type: ClusterIP
    selector:
        app: keycloak
    ports:
        - name: http
          port: 8080
          protocol: TCP
          targetPort: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
    name: keycloak
    namespace: keycloak
    labels:
        app: keycloak
    annotations:
        cert-manager.io/cluster-issuer: kncyber
spec:
    tls:
        - secretName: kncyber-tls
          hosts:
            - "kncyber.pl"
            - "*.kncyber.pl"
    rules:
        - host: keycloak.kncyber.pl
          http:
              paths:
                  - path: /
                    pathType: ImplementationSpecific
                    backend:
                        service:
                            name: keycloak
                            port:
                                name: http

postgres:

apiVersion: apps/v1
kind: Deployment
metadata:
    name: postgres
    namespace: keycloak
    labels:
        app: postgres
spec:
    replicas: 1
    selector:
        matchLabels:
            app: postgres
    template:
        metadata:
            labels:
                app: postgres
        spec:
            containers:
                - name: postgres
                  image: postgres:11
                  imagePullPolicy: IfNotPresent
                  ports:
                      - name: postgres
                        containerPort: 5432
                        protocol: TCP
                  volumeMounts:
                      - mountPath: /var/lib/postgresql/data
                        name: keycloak-pv
                        subPath: postgres
                  env:
                      - name: POSTGRES_USER
                        value: keycloak
                      - name: POSTGRES_PASSWORD
                        value: REDACTED
                      - name: POSTGRES_DB
                        value: keycloak
            volumes:
                - name: keycloak-pv
                  persistentVolumeClaim:
                      claimName: keycloak
---
apiVersion: v1
kind: Service
metadata:
    name: postgres
    namespace: keycloak
    labels:
        app: postgres
spec:
    type: ClusterIP
    selector:
        app: postgres
    ports:
        - name: postgres
          port: 5432
          protocol: TCP
          targetPort: postgres

pvc:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
    name: keycloak
    namespace: keycloak
    labels:
        app: keycloak
spec:
    accessModes:
        - ReadWriteOnce
    resources:
        requests:
            storage: 500Mi
    storageClassName: keycloak
    volumeMode: Filesystem