sec: realm import sem usuario, paridade piloto, redirect HTTPS

tenants/demo/30-apps-stubs.yaml

@@ -184,6 +184,7 @@ metadata:
   namespace: demo-prod
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
+    traefik.ingress.kubernetes.io/router.middlewares: demo-prod-redirect-https@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:

tenants/demo/35-realm-import-cm.yaml

@@ -31,18 +31,6 @@ data:
             "post.logout.redirect.uris": "https://demo.187.77.37.184.nip.io/*"
           }
         }
-      ],
-      "users": [
-        {
-          "username": "atleta1",
-          "enabled": true,
-          "emailVerified": true,
-          "email": "atleta1@demo.local",
-          "firstName": "Atleta",
-          "lastName": "Um",
-          "credentials": [{ "type": "password", "value": "Teste@123", "temporary": false }],
-          "realmRoles": ["atm_athlete"]
-        }
       ]
     }
 kind: ConfigMap

tenants/demo/40-middleware.yaml

@@ -0,0 +1,10 @@
+# Redirect HTTP->HTTPS (Traefik). Aplicado por-ingress (nao afeta o desafio ACME do cert-manager).
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-https
+  namespace: demo-prod
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true

tenants/piloto/20-keycloak.yaml

@@ -17,7 +17,7 @@ spec:
       containers:
         - name: keycloak
           image: quay.io/keycloak/keycloak:26.0
-          args: ["start-dev"]
+          args: ["start-dev", "--import-realm"]
           env:
             - name: KC_DB
               value: postgres
@@ -64,6 +64,14 @@ spec:
             initialDelaySeconds: 30
             periodSeconds: 10
             failureThreshold: 40
+          volumeMounts:
+            - name: realm-import
+              mountPath: /opt/keycloak/data/import
+              readOnly: true
+      volumes:
+        - name: realm-import
+          configMap:
+            name: kc-realm-import
 ---
 apiVersion: v1
 kind: Service

tenants/piloto/30-apps-stubs.yaml

@@ -187,6 +187,7 @@ metadata:
   namespace: piloto-prod
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
+    traefik.ingress.kubernetes.io/router.middlewares: piloto-prod-redirect-https@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:

tenants/piloto/35-realm-import-cm.yaml

@@ -0,0 +1,39 @@
+apiVersion: v1
+data:
+  athleticmap-realm.json: |
+    {
+      "realm": "athleticmap",
+      "enabled": true,
+      "displayName": "Athletic Map",
+      "loginWithEmailAllowed": true,
+      "roles": {
+        "realm": [
+          { "name": "admin" },
+          { "name": "atm_athlete" },
+          { "name": "atm_trainer" },
+          { "name": "atm_team_admin" },
+          { "name": "atm_fed_admin" }
+        ]
+      },
+      "clients": [
+        {
+          "clientId": "spa",
+          "name": "Athletic Map SPA",
+          "publicClient": true,
+          "protocol": "openid-connect",
+          "standardFlowEnabled": true,
+          "implicitFlowEnabled": false,
+          "directAccessGrantsEnabled": false,
+          "redirectUris": ["https://piloto.187.77.37.184.nip.io/*"],
+          "webOrigins": ["https://piloto.187.77.37.184.nip.io"],
+          "attributes": {
+            "pkce.code.challenge.method": "S256",
+            "post.logout.redirect.uris": "https://piloto.187.77.37.184.nip.io/*"
+          }
+        }
+      ]
+    }
+kind: ConfigMap
+metadata:
+  name: kc-realm-import
+  namespace: piloto-prod

tenants/piloto/40-middleware.yaml

@@ -0,0 +1,10 @@
+# Redirect HTTP->HTTPS (Traefik). Aplicado por-ingress (nao afeta o desafio ACME do cert-manager).
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-https
+  namespace: piloto-prod
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true