apiVersion: apps/v1
kind: Deployment
metadata:
  name: workclub-keycloak
  labels:
    app: workclub-keycloak
    component: auth
spec:
  replicas: 1
  selector:
    matchLabels:
      app: workclub-keycloak
  template:
    metadata:
      labels:
        app: workclub-keycloak
        component: auth
    spec:
      containers:
      - name: keycloak
        image: quay.io/keycloak/keycloak:26.1
        imagePullPolicy: IfNotPresent
        command:
        - start
        ports:
        - name: http
          containerPort: 8080
          protocol: TCP
        readinessProbe:
          httpGet:
            path: /health/ready
            port: http
          initialDelaySeconds: 10
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 2
        
        livenessProbe:
          httpGet:
            path: /health/live
            port: http
          initialDelaySeconds: 20
          periodSeconds: 15
          timeoutSeconds: 5
          failureThreshold: 3
        resources:
          requests:
            cpu: 100m
            memory: 256Mi
          limits:
            cpu: 500m
            memory: 512Mi
        env:
        - name: KC_DB
          value: postgres
        - name: KC_DB_URL_HOST
          value: workclub-postgres
        - name: KC_DB_URL_PORT
          value: "5432"
        - name: KC_DB_URL_DATABASE
          value: keycloak
        - name: KC_DB_USERNAME
          value: keycloak
        - name: KC_DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: workclub-secrets
              key: keycloak-db-password
        - name: KEYCLOAK_ADMIN
          value: admin
        - name: KEYCLOAK_ADMIN_PASSWORD
          valueFrom:
            secretKeyRef:
              name: workclub-secrets
              key: keycloak-admin-password
        - name: KC_HOSTNAME_STRICT
          value: "false"
        - name: KC_PROXY
          value: "edge"
        - name: KC_HTTP_ENABLED
          value: "true"