apiVersion: apps/v1
kind: Deployment
metadata:
  name: keycloak
  labels:
    app: keycloak
  namespace: tooling
spec:
  replicas: 1
  selector:
    matchLabels:
      app: keycloak
  template:
    metadata:
      labels:
        app: keycloak
    spec:
      serviceAccountName: internal-tls-issuer
      containers:
        - name: keycloak
          image: ghcr.io/owl-corp/keycloak:26.2.1
          imagePullPolicy: Always
          envFrom:
            - secretRef:
                name: keycloak-secret-env
            - configMapRef:
                name: keycloak-config-env
          ports:
            - name: http
              containerPort: 8080
            - name: https
              containerPort: 8443
          readinessProbe:
            httpGet:
              path: /realms/master
              port: 8080
              scheme: HTTP
          volumeMounts:
            - name: ca-store
              mountPath: /opt/pydis/ca-store
      volumes:
        - name: ca-store
          configMap:
            name: ipa-ca-configmap