Skip to content

fix : keycloak manifest 수정 #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
donghyeon-ka merged 1 commit into from
Mar 20, 2026
Merged

fix : keycloak manifest 수정 #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,6 +287,8 @@ Actuator health endpoint는 아래 경로를 사용합니다.
- Argo CD AppProject: [argocd/auth-dev-project.yaml](/home/donghyeon/dev/Project-Auth-Server/argocd/auth-dev-project.yaml)
- Argo CD Application: [argocd/dev-auth-server-application.yaml](/home/donghyeon/dev/Project-Auth-Server/argocd/dev-auth-server-application.yaml)

auth-server dev 배포에는 [k8s/dev/db-migration-job.yaml](/home/donghyeon/dev/Project-Auth-Server/k8s/dev/db-migration-job.yaml)이 포함되어 있어, Argo CD sync 시 migration job이 먼저 실행되고 그 뒤 애플리케이션 Deployment가 따라오는 흐름을 기대합니다.

민감값은 Git에 직접 올리지 않고, [k8s/dev/secret.yaml](/home/donghyeon/dev/Project-Auth-Server/k8s/dev/secret.yaml)에 키 구조만 유지한 채 placeholder 값만 둡니다.
현재 dev 구성은 secret까지 Argo CD가 직접 생성하는 방식이 아니라, 실제 secret은 namespace에 사전 생성하고 Argo CD는 그 참조만 배포하는 방식입니다.

Expand Down
49 changes: 49 additions & 0 deletions k8s/dev/db-migration-job.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
apiVersion: batch/v1
kind: Job
metadata:
name: auth-db-migration
annotations:
argocd.argoproj.io/sync-wave: "-1"
spec:
backoffLimit: 1
template:
metadata:
labels:
app: auth-db-migration
spec:
serviceAccountName: auth-server
automountServiceAccountToken: false
restartPolicy: Never
securityContext:
runAsNonRoot: true
runAsUser: 10001
runAsGroup: 10001
seccompProfile:
type: RuntimeDefault
containers:
- name: auth-db-migration
image: ghcr.io/donghyeonka/project-auth-server
imagePullPolicy: IfNotPresent
envFrom:
- configMapRef:
name: auth-server-config
- secretRef:
name: auth-server-secret
env:
- name: SPRING_MAIN_WEB_APPLICATION_TYPE
value: none
- name: APP_PERSISTENCE_MIGRATION_RUN_ON_STARTUP
value: "true"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: false
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
2 changes: 2 additions & 0 deletions k8s/dev/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: auth-server
annotations:
argocd.argoproj.io/sync-wave: "0"

spec:
replicas: 1
Expand Down
11 changes: 6 additions & 5 deletions k8s/dev/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,12 @@ kind: Kustomization
namespace: auth-dev

resources:
- namespace.yaml
- serviceaccount.yaml
- configmap.yaml
- service.yaml
- deployment.yaml
- namespace.yaml
- serviceaccount.yaml
- configmap.yaml
- service.yaml
- db-migration-job.yaml
- deployment.yaml

images:
- name: ghcr.io/donghyeonka/project-auth-server
Expand Down
18 changes: 14 additions & 4 deletions k8s/platform-dev/keycloak-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ spec:
ports:
- containerPort: 8080
name: http
- containerPort: 9000
name: management
env:
- name: KC_DB
value: postgres
Expand Down Expand Up @@ -60,17 +62,25 @@ spec:
readinessProbe:
httpGet:
path: /health/ready
port: http
initialDelaySeconds: 30
port: management
initialDelaySeconds: 20
periodSeconds: 10
timeoutSeconds: 3
livenessProbe:
httpGet:
path: /health/live
port: http
initialDelaySeconds: 40
port: management
initialDelaySeconds: 30
periodSeconds: 15
timeoutSeconds: 3
startupProbe:
httpGet:
path: /health/ready
port: management
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 3
failureThreshold: 12
resources:
requests:
cpu: 250m
Expand Down
36 changes: 34 additions & 2 deletions k8s/platform-dev/postgres-statefulset.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,16 +14,40 @@ spec:
app: postgres
spec:
securityContext:
runAsNonRoot: true
runAsUser: 999
runAsGroup: 999
fsGroup: 999
seccompProfile:
type: RuntimeDefault
initContainers:
- name: postgres-permissions
image: busybox:1.36
command:
- sh
- -c
- |
set -eu
mkdir -p /var/lib/postgresql/data/pgdata /var/run/postgresql
chown -R 999:999 /var/lib/postgresql/data /var/run/postgresql
securityContext:
runAsUser: 0
runAsGroup: 0
allowPrivilegeEscalation: false
volumeMounts:
- name: postgres-data
mountPath: /var/lib/postgresql/data
- name: postgres-run
mountPath: /var/run/postgresql
containers:
- name: postgres
image: postgres:16-alpine
ports:
- containerPort: 5432
name: postgres
env:
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
- name: POSTGRES_USER
valueFrom:
configMapKeyRef:
Expand Down Expand Up @@ -70,15 +94,21 @@ spec:
name: platform-secret
key: KEYCLOAK_DB_PASSWORD
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: true
runAsUser: 999
runAsGroup: 999
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
volumeMounts:
- name: postgres-data
mountPath: /var/lib/postgresql/data
- name: postgres-init-script
mountPath: /docker-entrypoint-initdb.d/01-init-project-auth-databases.sh
subPath: 01-init-project-auth-databases.sh
- name: postgres-run
mountPath: /var/run/postgresql
readinessProbe:
exec:
command:
Expand Down Expand Up @@ -109,6 +139,8 @@ spec:
configMap:
name: postgres-init-script
defaultMode: 0555
- name: postgres-run
emptyDir: {}
volumeClaimTemplates:
- metadata:
name: postgres-data
Expand Down