From 20b0aa391335a420bf4dcdd70caa8e02b771fb60 Mon Sep 17 00:00:00 2001
From: sambles <sambles@users.noreply.github.com>
Date: Thu, 23 May 2024 09:52:55 +0100
Subject: [PATCH] Azure Postgres Flexible server support    (#1040)

* Update keycloak to mount in cert from KeyVault

* Test chart install - minikube without azure values
---
 .../oasis-platform/templates/keycloak.yaml    | 28 +++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/kubernetes/charts/oasis-platform/templates/keycloak.yaml b/kubernetes/charts/oasis-platform/templates/keycloak.yaml
index 02ba24e53..8a9becb23 100644
--- a/kubernetes/charts/oasis-platform/templates/keycloak.yaml
+++ b/kubernetes/charts/oasis-platform/templates/keycloak.yaml
@@ -98,6 +98,12 @@ spec:
           ports:
             - containerPort: {{ .Values.keycloak.port }}
           env:
+           {{- if (.Values.azure).secretProvider }}
+           {{- if hasKey .Values.azure.secretProvider.secrets "keycloak-cert" }}
+            - name: KC_DB_URL_PROPERTIES
+              value: "?sslmode=verify-full&sslcert=root.crt"
+           {{- end }}
+           {{- end }}
             - name: KC_LOGLEVEL
               value: DEBUG
             - name: PROXY_ADDRESS_FORWARDING
@@ -172,16 +178,34 @@ spec:
             - name: realm-config
               mountPath: /opt/keycloak/data/import/oasis-realm.json
               subPath: oasis
+            {{- if (.Values.azure).secretProvider }}
+            {{- if hasKey .Values.azure.secretProvider.secrets "keycloak-cert" }}
+            - name: azure-keycloak-cert
+              mountPath: /opt/keycloak/.postgresql/root.crt
+              subPath: keycloak-cert-file
+              readOnly: true
+            {{- end }}
+            {{- end }}
 
       volumes:
         - name: realm-config
           configMap:
             name: {{ $realmSecretName }}
-{{- if (.Values.azure).secretProvider }}
+    {{- if (.Values.azure).secretProvider }}
+      {{- if hasKey .Values.azure.secretProvider.secrets "keycloak-cert" }}
+        - name: azure-keycloak-cert
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "azure-secret-provider"
+              objectName: "keycloak-cert-file"
+              objectType: "secret"
+      {{- end }}
         - name: azure-secret-provider
           csi:
             driver: secrets-store.csi.k8s.io
             readOnly: true
             volumeAttributes:
               secretProviderClass: "azure-secret-provider"
-{{- end }}
+    {{- end }}