apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: lychee-keycloak
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "10"
spec:
  project: infrastructure
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
  destination:
    server: "https://172.16.152.1:6443"
    namespace: mareshq-keycloak
  source:
    chart: keycloak
    repoURL: https://charts.bitnami.com/bitnami
    targetRevision: 16.1.1
    helm:
      releaseName: keycloak
      valuesObject:
        auth:
          adminUser: mareshqadmin
          existingSecret: keycloak-admin-password
          passwordSecretKey: password

        global:
          storageClass: hcloud-volumes

        replicaCount: 2

        pdb:
          create: true
          minAvailable: 1

        autoscaling:
          enabled: false

        resources:
          limits:
            cpu: 500m
            memory: 1Gi
          requests:
            cpu: 500m
            memory: 1Gi

        # Pods must be spread across nodes
        # See: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_affinities.tpl#L56-L106
        # podAntiAffinityPreset: hard

        updateStrategy:
          type: RollingUpdate
          # See: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#maximum-unavailable-pods
          # rollingUpdate:
          #   maxUnavailable: 1

        service:
          type: ClusterIP
          # http:
          #   enable: false

        ingress:
          enabled: true
          hostname: sso.mareshq.com

          servicePort: https

          ingressClassName: nginx

          tls: true

          annotations:
            cert-manager.io/cluster-issuer: letsencrypt-prod
            # Allow self-signed certificates on the backend
            nginx.ingress.kubernetes.io/server-snippet: |
              proxy_ssl_verify off;
            nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
            nginx.ingress.kubernetes.io/proxy-buffering: "on"
            nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
            nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"

        tls:
          enabled: true
          autoGenerated: true

        production: true

        metrics:
          enabled: true

          serviceMonitor:
            enabled: false

        postgresql:
          enabled: false

        externalDatabase:
          existingSecret: keycloak-database
          existingSecretHostKey: host
          existingSecretPortKey: port
          existingSecretDatabaseKey: database
          existingSecretUserKey: username
          existingSecretPasswordKey: password

        startupProbe:
          # Keycloak should be ready to serve requests within 15 minutes
          enabled: true
          initialDelaySeconds: 180 # 3min
          periodSeconds: 10
          timeoutSeconds: 5
          failureThreshold: 80 # 12min
          successThreshold: 1

        # Custom theme installation and configuration
        initContainers:
          - name: theme-installer
            image: busybox:latest
            command:
              - /bin/sh
              - "-c"
              - |
                wget https://cdn.mareshq.com/keywind.tar.gz -O /tmp/keywind.tar.gz
                tar -xzvf /tmp/keywind.tar.gz -C /opt/bitnami/keycloak/themes

            volumeMounts:
              - mountPath: /opt/bitnami/keycloak/themes/keywind
                name: theme

        extraVolumes:
          - name: theme
            emptyDir: {}

        extraVolumeMounts:
          - name: theme
            mountPath: /opt/bitnami/keycloak/themes/keywind