---

keycloak_id: "{{ inventory_hostname }}-keycloak"
keycloak_postgres_id: "{{ inventory_hostname }}-postgres-keycloak"

keycloak_labels: [
  # Definve service
  '"traefik.http.services.{{ keycloak_id }}.loadbalancer.server.port={{ service_port }}"',
  # open all
  '"traefik.enable=true"',
  '"traefik.http.routers.{{ keycloak_id }}-public.service={{ keycloak_id }}"',
  '"traefik.http.routers.{{ keycloak_id }}-public.rule=Host(`{{ stage_server_domain }}`)"',
  '"traefik.http.routers.{{ keycloak_id }}-public.entrypoints=websecure"',
  '"traefik.http.routers.{{ keycloak_id }}-public.tls=true"',
  '"traefik.http.routers.{{ keycloak_id }}-public.tls.certresolver=letsencrypt"',
  # allow login / login page (except for master)
  '"traefik.http.routers.{{ keycloak_id }}-public-login.service={{ keycloak_id }}"',
  '"traefik.http.routers.{{ keycloak_id }}-public-login.rule=Host(`{{ stage_server_domain }}`) && (PathPrefix(`/auth/realms/{realm:[^/]+}/login-actions/authenticate`) && !PathPrefix(`/auth/realms/master/login-actions/authenticate`))"',
  '"traefik.http.routers.{{ keycloak_id }}-public-login.entrypoints=websecure"',
  '"traefik.http.routers.{{ keycloak_id }}-public-login.tls=true"',
  '"traefik.http.routers.{{ keycloak_id }}-public-login.tls.certresolver=letsencrypt"',
  # restrict all POST, PUT, DELETE, PATCH to intranet
  '"traefik.http.routers.{{ keycloak_id }}-private.service={{ keycloak_id }}"',
  '"traefik.http.routers.{{ keycloak_id }}-private.rule=Host(`{{ stage_server_domain }}`)&&Method(`POST`,`PUT`,`DELETE`, `PATCH`)"',
  '"traefik.http.routers.{{ keycloak_id }}-private.entrypoints=websecure"',
  '"traefik.http.routers.{{ keycloak_id }}-private.tls=true"',
  '"traefik.http.routers.{{ keycloak_id }}-private.tls.certresolver=letsencrypt"',
  '"traefik.http.routers.{{ keycloak_id }}-private.middlewares={{ keycloak_id }}-private-ipwhitelist"',
  '"traefik.http.middlewares.{{ keycloak_id }}-private-ipwhitelist.ipwhitelist.sourcerange={{ (ip_whitelist + k8s_worker_node_ips + keycloak_ip_whitelist) | join(",") }}"',
]

keycloak_docker: {
  networks: [
    {
      name: front-tier,
      external: true,
    },
  ],
  services: [
    {
      name: "{{ keycloak_id }}",
      image_name: "{{ keycloak_image }}",
      image_version: "{{ keycloak_version }}",
      labels: "{{ keycloak_labels + ( keycloak_labels_additional | default([])) }}",
      command: "start --log-console-output=json",
      environment: [
        "KEYCLOAK_ADMIN: \"{{ keycloak_admin_username }}\"",
        "KEYCLOAK_ADMIN_PASSWORD: \"{{ keycloak_admin_password }}\"",
        "KC_PROXY: \"edge\"",
        "KC_HOSTNAME: \"{{ stage_server_domain }}\"",
        "KC_DB: \"postgres\"",
        "KC_DB_USERNAME: \"{{ keycloak_postgres_username }}\"",
        "KC_DB_PASSWORD: \"{{ keycloak_postgres_password }}\"",
        "KC_DB_URL: \"jdbc:postgresql://{{ shared_service_postgres_primary }}:{{ service_port_postgres }}/{{ keycloak_postgres_database }}?sslmode=require\""
      ],
      networks: [
        '"front-tier"',
      ],
      ports: [
        {
          external: "{{ service_port_keycloak_external }}",
          internal: "{{ service_port_keycloak }}",
        },
      ],
      extra_hosts: "{{ keycloak_extra_hosts | default([]) }}",
    }
  ],
}