apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
  namespace: keycloak
  labels:
    app: keycloak
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      containers:
        - name: keycloak
          image: quay.io/keycloak/keycloak:26.1
          args:
            - "start"
            - "--verbose"
          env:
            - name: KC_HOSTNAME_STRICT
              value: "false"
            - name: KC_HTTP_ENABLED
              value: "true"
            - name: KEYCLOAK_USER
              value: admin
            - name: KEYCLOAK_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin-secret
                  key: password
            - name: KC_BOOTSTRAP_ADMIN_USERNAME
              value: "admin"
            - name: KC_BOOTSTRAP_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: keycloak-admin-secret
                  key: password
            - name: KC_HEALTH_ENABLED
              value: "true"
            - name: KC_PROXY_HEADERS
              value: xforwarded
          ports:
            - name: http
              containerPort: 8080
          readinessProbe:
            httpGet:
              path: /health/ready
              port: 9000
            initialDelaySeconds: 15 # Delay before the probe starts
            periodSeconds: 15
            timeoutSeconds: 3
            successThreshold: 1 # Number of successful probes to consider the pod ready
            failureThreshold: 5
          volumeMounts:
            - mountPath: /opt/keycloak/data/h2/
              name: storage
      volumes:
        - name: storage
          persistentVolumeClaim:
            claimName: keycloak-pvc