apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
  name: keycloak
  namespace: {{ .Env.KEYCLOAK_NAMESPACE }}
spec:
  instances: 1
  image: quay.io/keycloak/keycloak:26.4
  startOptimized: false

  # Database configuration for external PostgreSQL
  db:
    vendor: postgres
    host: postgres-cluster-rw.postgres
    port: 5432
    database: keycloak
    usernameSecret:
      name: database-config
      key: user
    passwordSecret:
      name: database-config
      key: password

  # Hostname configuration
  hostname:
    hostname: {{ .Env.KEYCLOAK_HOST }}
    strict: false
    strictBackchannel: false

  # HTTP configuration
  http:
    httpEnabled: true
    httpPort: 8080
    httpsPort: 8443

  # Proxy configuration for edge proxy
  proxy:
    headers: xforwarded

  # http-enabled and hostname-strict are configured via http.httpEnabled and hostname.strict
  additionalOptions:
    - name: metrics-enabled
      value: "true"

  # Keycloak takes ~20 seconds to start, so we configure probes accordingly
  # Note: Keycloak Operator v2alpha1 only supports periodSeconds and failureThreshold
  startupProbe:
    periodSeconds: 10
    failureThreshold: 20

  livenessProbe:
    periodSeconds: 10
    failureThreshold: 3

  readinessProbe:
    periodSeconds: 5
    failureThreshold: 3

  # Bootstrap admin configuration
  bootstrapAdmin:
    user:
      secret: keycloak-bootstrap-admin

  # Resources
  # Increased memory limit to 3Gi for Keycloak 26.4 build process
  resources:
    requests:
      memory: "2Gi"
      cpu: "500m"
    limits:
      memory: "3Gi"
      cpu: "1000m"

  unsupported:
    podTemplate:
      spec:
        securityContext:
          runAsNonRoot: true
          runAsUser: 1000
          runAsGroup: 1000
          fsGroup: 1000
          seccompProfile:
            type: RuntimeDefault
        containers:
          - name: keycloak
            securityContext:
              allowPrivilegeEscalation: false
              readOnlyRootFilesystem: false
              runAsNonRoot: true
              runAsUser: 1000
              runAsGroup: 1000
              seccompProfile:
                type: RuntimeDefault
              capabilities:
                drop:
                  - ALL

  ingress:
    enabled: false

---
# Separate Ingress resource for custom configuration
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak-ingress
  namespace: {{ .Env.KEYCLOAK_NAMESPACE }}
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
  ingressClassName: traefik
  tls:
    - hosts:
        - {{ .Env.KEYCLOAK_HOST }}
      secretName: keycloak-tls
  rules:
    - host: {{ .Env.KEYCLOAK_HOST }}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: keycloak-service
                port:
                  number: 8080