From f6b2eeaf600a47a10bf3e354ed880c4e1cd2de44 Mon Sep 17 00:00:00 2001 From: kimo Date: Sun, 16 Nov 2025 13:04:38 +0000 Subject: [PATCH] add keycloak operator --- keycloak/keycloak-operator.yaml | 432 ++++++++++++++++++++++++++++++++ 1 file changed, 432 insertions(+) create mode 100644 keycloak/keycloak-operator.yaml diff --git a/keycloak/keycloak-operator.yaml b/keycloak/keycloak-operator.yaml new file mode 100644 index 0000000..75b3579 --- /dev/null +++ b/keycloak/keycloak-operator.yaml @@ -0,0 +1,432 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + app.quarkus.io/quarkus-version: 3.27.0 + app.quarkus.io/vcs-uri: https://github.com/keycloak/keycloak.git + app.quarkus.io/build-timestamp: 2025-11-12 - 15:30:52 +0000 + labels: + app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 26.4.5 + app.kubernetes.io/managed-by: quarkus + name: keycloak-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: keycloak-operator + name: keycloak-operator-clusterrole +rules: + - apiGroups: + - config.openshift.io + resources: + - ingresses + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 26.4.5 + name: keycloakrealmimportcontroller-cluster-role +rules: + - apiGroups: + - k8s.keycloak.org + resources: + - keycloakrealmimports + - keycloakrealmimports/status + - keycloakrealmimports/finalizers + verbs: + - get + - list + - watch + - patch + - update + - create + - delete + - apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 26.4.5 + name: keycloakcontroller-cluster-role +rules: + - apiGroups: + - k8s.keycloak.org + resources: + - keycloaks + - keycloaks/status + - keycloaks/finalizers + verbs: + - get + - list + - watch + - patch + - update + - create + - delete + - apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: keycloak-operator + name: keycloak-operator-clusterrole-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: keycloak-operator-clusterrole +subjects: + - kind: ServiceAccount + name: keycloak-operator + namespace: keycloak +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/name: keycloak-operator + name: keycloak-operator-role +rules: + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - secrets + - services + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - list + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - create + - delete + - patch + - update + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - create + - delete + - get + - list + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: keycloak-operator + name: keycloak-operator-role-binding +roleRef: + kind: Role + apiGroup: rbac.authorization.k8s.io + name: keycloak-operator-role +subjects: + - kind: ServiceAccount + name: keycloak-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 26.4.5 + name: keycloakrealmimportcontroller-role-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: keycloakrealmimportcontroller-cluster-role +subjects: + - kind: ServiceAccount + name: keycloak-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 26.4.5 + name: keycloakcontroller-role-binding +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: keycloakcontroller-cluster-role +subjects: + - kind: ServiceAccount + name: keycloak-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 26.4.5 + name: keycloak-operator-view +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: view +subjects: + - kind: ServiceAccount + name: keycloak-operator +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + app.quarkus.io/quarkus-version: 3.27.0 + app.quarkus.io/vcs-uri: https://github.com/keycloak/keycloak.git + app.quarkus.io/build-timestamp: 2025-11-12 - 15:30:52 +0000 + labels: + app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 26.4.5 + app.kubernetes.io/managed-by: quarkus + name: keycloak-operator +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 8080 + selector: + app.kubernetes.io/name: keycloak-operator + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + app.quarkus.io/quarkus-version: 3.27.0 + app.quarkus.io/vcs-uri: https://github.com/keycloak/keycloak.git + app.quarkus.io/build-timestamp: 2025-11-12 - 15:30:52 +0000 + labels: + app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 26.4.5 + app.kubernetes.io/managed-by: quarkus + name: keycloak-operator +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: keycloak-operator + template: + metadata: + annotations: + app.quarkus.io/quarkus-version: 3.27.0 + app.quarkus.io/vcs-uri: https://github.com/keycloak/keycloak.git + app.quarkus.io/build-timestamp: 2025-11-12 - 15:30:52 +0000 + labels: + app.kubernetes.io/managed-by: quarkus + app.kubernetes.io/name: keycloak-operator + app.kubernetes.io/version: 26.4.5 + spec: + containers: + - env: + - name: KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELATED_IMAGE_KEYCLOAK + value: quay.io/keycloak/keycloak:26.4.5 + image: quay.io/keycloak/keycloak-operator:26.4.5 + imagePullPolicy: Always + livenessProbe: + failureThreshold: 3 + httpGet: + path: /q/health/live + port: 8080 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 10 + name: keycloak-operator + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /q/health/ready + port: 8080 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 10 + resources: + limits: + cpu: 700m + memory: 450Mi + requests: + cpu: 300m + memory: 450Mi + startupProbe: + failureThreshold: 3 + httpGet: + path: /q/health/started + port: 8080 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 10 + serviceAccountName: keycloak-operator \ No newline at end of file