apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
  namespace: keycloak
  labels:
    app: keycloak
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      containers:
      - name: keycloak
        # image: quay.io/keycloak/keycloak:23.0.1
        image: quay.io/keycloak/keycloak:26.1
        # args: [ "start" ]
        env:
        - name: KEYCLOAK_USER
          value: admin
        - name: KEYCLOAK_PASSWORD
          valueFrom:
            secretKeyRef:
              name: keycloak-admin-secret
              key: password
        - name: KEYCLOAK_ADMIN
          value: admin
        - name: KEYCLOAK_ADMIN_PASSWORD
          valueFrom:
            secretKeyRef:
              name: keycloak-admin-secret
              key: password
        - name: PROXY_ADDRESS_FORWARDING
          value: "true"
        ports:
        - name: http
          containerPort: 8080
        - name: https
          containerPort: 8443
        readinessProbe:
          httpGet:
            path: /auth/realms/master
            port: 8080
          initialDelaySeconds: 5 # Delay before the probe starts
          periodSeconds: 15
          timeoutSeconds: 3
          successThreshold: 1 # Number of successful probes to consider the pod ready
          failureThreshold: 5
        volumeMounts:
        - mountPath: /opt/keycloak/data/h2/
          name: storage
        - name: tls-secret
          mountPath: /etc/ssl/certs
          readOnly: true
        command:
        # - /opt/keycloak/bin/kc.sh
        - start
        - --https-certificate-file=/etc/ssl/certs/cert.pem
        - --https-certificate-key-file=/etc/ssl/certs/key.pem
        - --verbose
      volumes:
      - name: storage
        persistentVolumeClaim:
          claimName: keycloak-pvc
      - name: tls-secret
        secret:
          secretName: keycloak-tls-secret