diff --git a/tenants/demo/30-apps-stubs.yaml b/tenants/demo/30-apps-stubs.yaml index a9c4047..570b37c 100644 --- a/tenants/demo/30-apps-stubs.yaml +++ b/tenants/demo/30-apps-stubs.yaml @@ -184,6 +184,7 @@ metadata: namespace: demo-prod annotations: cert-manager.io/cluster-issuer: letsencrypt-prod + traefik.ingress.kubernetes.io/router.middlewares: demo-prod-redirect-https@kubernetescrd spec: ingressClassName: traefik tls: diff --git a/tenants/demo/35-realm-import-cm.yaml b/tenants/demo/35-realm-import-cm.yaml index 6281c6f..eea5016 100644 --- a/tenants/demo/35-realm-import-cm.yaml +++ b/tenants/demo/35-realm-import-cm.yaml @@ -31,18 +31,6 @@ data: "post.logout.redirect.uris": "https://demo.187.77.37.184.nip.io/*" } } - ], - "users": [ - { - "username": "atleta1", - "enabled": true, - "emailVerified": true, - "email": "atleta1@demo.local", - "firstName": "Atleta", - "lastName": "Um", - "credentials": [{ "type": "password", "value": "Teste@123", "temporary": false }], - "realmRoles": ["atm_athlete"] - } ] } kind: ConfigMap diff --git a/tenants/demo/40-middleware.yaml b/tenants/demo/40-middleware.yaml new file mode 100644 index 0000000..39569e8 --- /dev/null +++ b/tenants/demo/40-middleware.yaml @@ -0,0 +1,10 @@ +# Redirect HTTP->HTTPS (Traefik). Aplicado por-ingress (nao afeta o desafio ACME do cert-manager). +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: redirect-https + namespace: demo-prod +spec: + redirectScheme: + scheme: https + permanent: true diff --git a/tenants/piloto/20-keycloak.yaml b/tenants/piloto/20-keycloak.yaml index bf9384e..8e63f40 100644 --- a/tenants/piloto/20-keycloak.yaml +++ b/tenants/piloto/20-keycloak.yaml @@ -17,7 +17,7 @@ spec: containers: - name: keycloak image: quay.io/keycloak/keycloak:26.0 - args: ["start-dev"] + args: ["start-dev", "--import-realm"] env: - name: KC_DB value: postgres @@ -64,6 +64,14 @@ spec: initialDelaySeconds: 30 periodSeconds: 10 failureThreshold: 40 + volumeMounts: + - name: realm-import + mountPath: /opt/keycloak/data/import + readOnly: true + volumes: + - name: realm-import + configMap: + name: kc-realm-import --- apiVersion: v1 kind: Service diff --git a/tenants/piloto/30-apps-stubs.yaml b/tenants/piloto/30-apps-stubs.yaml index 18b5fb8..736d4ac 100644 --- a/tenants/piloto/30-apps-stubs.yaml +++ b/tenants/piloto/30-apps-stubs.yaml @@ -187,6 +187,7 @@ metadata: namespace: piloto-prod annotations: cert-manager.io/cluster-issuer: letsencrypt-prod + traefik.ingress.kubernetes.io/router.middlewares: piloto-prod-redirect-https@kubernetescrd spec: ingressClassName: traefik tls: diff --git a/tenants/piloto/35-realm-import-cm.yaml b/tenants/piloto/35-realm-import-cm.yaml new file mode 100644 index 0000000..e989e9d --- /dev/null +++ b/tenants/piloto/35-realm-import-cm.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +data: + athleticmap-realm.json: | + { + "realm": "athleticmap", + "enabled": true, + "displayName": "Athletic Map", + "loginWithEmailAllowed": true, + "roles": { + "realm": [ + { "name": "admin" }, + { "name": "atm_athlete" }, + { "name": "atm_trainer" }, + { "name": "atm_team_admin" }, + { "name": "atm_fed_admin" } + ] + }, + "clients": [ + { + "clientId": "spa", + "name": "Athletic Map SPA", + "publicClient": true, + "protocol": "openid-connect", + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": false, + "redirectUris": ["https://piloto.187.77.37.184.nip.io/*"], + "webOrigins": ["https://piloto.187.77.37.184.nip.io"], + "attributes": { + "pkce.code.challenge.method": "S256", + "post.logout.redirect.uris": "https://piloto.187.77.37.184.nip.io/*" + } + } + ] + } +kind: ConfigMap +metadata: + name: kc-realm-import + namespace: piloto-prod diff --git a/tenants/piloto/40-middleware.yaml b/tenants/piloto/40-middleware.yaml new file mode 100644 index 0000000..3da56fa --- /dev/null +++ b/tenants/piloto/40-middleware.yaml @@ -0,0 +1,10 @@ +# Redirect HTTP->HTTPS (Traefik). Aplicado por-ingress (nao afeta o desafio ACME do cert-manager). +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: redirect-https + namespace: piloto-prod +spec: + redirectScheme: + scheme: https + permanent: true