Kubernetes Deployment
This option is recommended for production environments requiring high availability, scalability, and cloud-native operations.
Kubernetes Manifests
Namespace
apiVersion: v1
kind: Namespace
metadata:
name: idp-broker
Secrets
apiVersion: v1
kind: Secret
metadata:
name: idp-broker-secrets
namespace: idp-broker
type: Opaque
stringData:
SECRET_ENCRYPTION_KEY: "YOUR_BASE64_KEY_HERE"
# Vendor public key (PEM) to verify license files. Omit ⇒ 30-day trial, then FREE tier.
LICENSE_PUBLIC_KEY: "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
# For Redis
SPRING_DATA_REDIS_PASSWORD: "your-redis-password"
# For Azure Key Vault (if using managed identity, omit these)
AZURE_KEYVAULT_URI: "https://your-vault.vault.azure.net/"
AZURE_TENANT_ID: "your-tenant-id"
ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: idp-broker-config
namespace: idp-broker
data:
BROKER_ISSUER: "https://idp.yourdomain.com"
BROKER_ISSUER_DYNAMIC: "false"
DB_PATH: "/app/data/idp-broker.db"
APP_LOGS_DIRECTORY: "/app/logs"
REDIS_ENABLED: "true"
SPRING_DATA_REDIS_HOST: "idp-redis-service"
SPRING_DATA_REDIS_PORT: "6379"
SECRET_MANAGER_TYPE: "local""
SECRET_MANAGER_TYPE: "local"
PersistentVolumeClaims
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: idp-broker-data-pvc
namespace: idp-broker
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: standard # Change to your storage class
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: idp-broker-logs-pvc
namespace: idp-broker
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
storageClassName: standard
Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: idp-broker
namespace: idp-broker
labels:
app: idp-broker
spec:
replicas: 2
selector:
matchLabels:
app: idp-broker
template:
metadata:
labels:
app: idp-broker
spec:
containers:
- name: idp-broker
image: yourdockerhub/idp-broker:1.0.7-beta
imagePullPolicy: Always
ports:
- containerPort: 8080
name: http
env:
- name: JAVA_OPTS
value: "-Xms512m -Xmx1024m"
envFrom:
- configMapRef:
name: idp-broker-config
- secretRef:
name: idp-broker-secrets
volumeMounts:
- name: data
mountPath: /app/data
- name: logs
mountPath: /app/logs
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "1000m"
livenessProbe:
httpGet:
path: /actuator/health/liveness
port: 8080
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 3
failureThreshold: 3
readinessProbe:
httpGet:
path: /actuator/health/readiness
port: 8080
initialDelaySeconds: 30
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 3
volumes:
- name: data
persistentVolumeClaim:
claimName: idp-broker-data-pvc
- name: logs
persistentVolumeClaim:
claimName: idp-broker-logs-pvc
Service
apiVersion: v1
kind: Service
metadata:
name: idp-broker-service
namespace: idp-broker
spec:
type: ClusterIP
selector:
app: idp-broker
ports:
- port: 8080
targetPort: 8080
protocol: TCP
name: http
Ingress (AKS Application Gateway)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: idp-broker-ingress
namespace: idp-broker
annotations:
kubernetes.io/ingress.class: azure/application-gateway
cert-manager.io/cluster-issuer: letsencrypt-prod
appgw.ingress.kubernetes.io/ssl-redirect: "true"
appgw.ingress.kubernetes.io/connection-draining: "true"
appgw.ingress.kubernetes.io/connection-draining-timeout: "30"
spec:
tls:
- hosts:
- idp.yourdomain.com
secretName: idp-broker-tls
rules:
- host: idp.yourdomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: idp-broker-service
port:
number: 8080
Horizontal Pod Autoscaler
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: idp-broker-hpa
namespace: idp-broker
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: idp-broker
minReplicas: 2
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
Deploy to Kubernetes
# Create namespace and resources
kubectl apply -f namespace.yaml
kubectl apply -f secret.yaml
kubectl apply -f configmap.yaml
kubectl apply -f pvc.yaml
kubectl apply -f deployment.yaml
kubectl apply -f service.yaml
kubectl apply -f ingress.yaml
kubectl apply -f hpa.yaml
# Check deployment status
kubectl get pods -n idp-broker
kubectl get svc -n idp-broker
kubectl get ingress -n idp-broker
# View logs
kubectl logs -f deployment/idp-broker -n idp-broker
# Scale manually (if not using HPA)
kubectl scale deployment idp-broker --replicas=3 -n idp-broker
Azure Key Vault (Managed Identity)
# Use Azure Workload Identity
apiVersion: v1
kind: ServiceAccount
metadata:
name: idp-broker-sa
namespace: idp-broker
annotations:
azure.workload.identity/client-id: "YOUR_MANAGED_IDENTITY_CLIENT_ID"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: idp-broker
namespace: idp-broker
spec:
template:
metadata:
labels:
azure.workload.identity/use: "true"
spec:
serviceAccountName: idp-broker-sa
containers:
- name: idp-broker
env:
- name: SECRET_MANAGER_TYPE
value: "azure"
- name: AZURE_KEYVAULT_URI
value: "https://your-vault.vault.azure.net/"
# Managed identity handles authentication automatically