-
Notifications
You must be signed in to change notification settings - Fork 4
/
2.hyperauth_deployment.yaml
140 lines (140 loc) · 4.55 KB
/
2.hyperauth_deployment.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
apiVersion: apps/v1
kind: Deployment
metadata:
name: hyperauth
namespace: hyperauth
labels:
app: hyperauth
spec:
replicas: 2
selector:
matchLabels:
app: hyperauth
template:
metadata:
labels:
app: hyperauth
spec:
volumes:
- name: ssl
secret:
secretName: hyperauth-https-secret
- name: kafka
secret:
secretName: hyperauth-kafka-jks
- name: log
persistentVolumeClaim:
claimName: hyperauth-log-pvc
- name: picture # Only needed Version After tmaxcloudck/hyperauth:b1.1.1.33
persistentVolumeClaim:
claimName: hyperauth-profile-picture
- name: realm
configMap:
name: tmax-realm-import-config
- name: hyperauth-admin-token
secret:
secretName: hyperauth-admin-token
# Enable If use External-oidc-provider (for initech or other mTLS)
# - name: external-crt
# secret:
# secretName: external-oidc-provider-https-secret
# items:
# - key: ca.crt
# path: ca.crt
containers:
- name: hyperauth
image: tmaxcloudck/hyperauth:latest #latest
args: ["-c standalone-ha.xml", "-Dkeycloak.profile.feature.upload_scripts=enabled", "-Dkeycloak.profile.feature.docker=enabled -b 0.0.0.0"]
env:
#- name: LOG_LEVEL # only after b1.1.2.0 && Not required, logs have their default levels
# value: ERROR
- name: KEYCLOAK_IMPORT
value: /tmp/realm-import/tmax-realm.json
- name: KEYCLOAK_USER
value: "admin"
- name: KEYCLOAK_PASSWORD
valueFrom:
secretKeyRef:
name: passwords
key: HYPERAUTH_PASSWORD
- name: CERTS_PASSWORD
valueFrom:
secretKeyRef:
name: passwords
key: CERTS_PASSWORD
- name: PROXY_ADDRESS_FORWARDING
value: "true"
- name: DB_VENDOR # postgres / tibero
value: "postgres"
- name: DB_PORT # postgres : 31226, tibero : 32571
value: "31226"
- name: DB_ADDR
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: DB_USER
value: "keycloak"
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: passwords
key: DB_PASSWORD
- name: KEYCLOAK_WELCOME_THEME
value: tmax
- name: TZ
value: Asia/Seoul
- name: NAMESPACE
value: hyperauth
- name: JGROUPS_DISCOVERY_PROTOCOL
value: "kubernetes.KUBE_PING"
- name: JGROUPS_DISCOVERY_PROPERTIES
value: "namespace=hyperauth"
- name: CACHE_OWNERS_COUNT
value: "2"
- name: CACHE_OWNERS_AUTH_SESSIONS_COUNT
value: "2"
- name: KAFKA_BROKERS_ADDR
value: "kafka-kafka-bootstrap.hyperauth:9092"
- name: USER_DELETE_SCHEDULER
value: "true"
# Enable Below ENVs if use External-oidc-provider (for initech or other mTLS)
# - name: X509_CA_BUNDLE
# value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt/ca.crt
# - name: EXTERNAL_OIDC_PROVIDER_AUTH_URL
# value: "https://tmax.initech.com/externalauth"
# - name: EXTERNAL_OIDC_PROVIDER_TOKEN_URL
# value: "https://tmax.initech.com/token"
# - name: EXTERNAL_OIDC_PROVIDER_PROFILE_URL
# value: "https://tmax.initech.com/user"
ports:
- name: http
containerPort: 8080
- name: https
containerPort: 8443
volumeMounts:
- name: ssl
mountPath: /etc/x509/https
- name: kafka
mountPath: /etc/x509/kafka
- name: log
mountPath: /opt/jboss/keycloak/standalone/log/hyperauth
- name: picture # Only needed Version After tmaxcloudck/hyperauth:b1.1.1.33
mountPath: /opt/jboss/keycloak/welcome-content/profile-picture
- name: realm
mountPath: /tmp/realm-import
- name: hyperauth-admin-token
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
# Enable If use External-oidc-provider (for initech or other mTLS)
# - name: external-crt
# mountPath: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
readinessProbe:
httpGet:
path: /auth/realms/master
port: 8080
resources:
limits:
cpu: "1"
memory: "1Gi"
requests:
cpu: "1"
memory: "1Gi"