k8s/apps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

keycloak

Browse Source
This commit is contained in:
Philip Haupt
2025-05-31 18:07:06 +02:00
parent f55636aad5
commit 0e05dc00e7
4 changed files with 2088 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
keycloak/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- main.yaml

659
keycloak/main.yaml Normal file
View File

@@ -0,0 +1,659 @@
apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/version: 26.2.5
helm.sh/chart: keycloak-24.7.3
name: keycloak
namespace: keycloak
---
apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: postgresql
app.kubernetes.io/version: 17.4.0
helm.sh/chart: postgresql-16.6.6
name: keycloak-postgresql
namespace: keycloak
---
apiVersion: v1
data:
JAVA_OPTS_APPEND: -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local
KC_BOOTSTRAP_ADMIN_USERNAME: user
KC_CACHE_CONFIG_FILE: cache-ispn.xml
KC_CACHE_STACK: kubernetes
KC_CACHE_TYPE: ispn
KEYCLOAK_DATABASE_HOST: keycloak-postgresql
KEYCLOAK_DATABASE_NAME: keycloak
KEYCLOAK_DATABASE_PORT: "5432"
KEYCLOAK_DATABASE_USER: keycloak
KEYCLOAK_ENABLE_HTTPS: "false"
KEYCLOAK_ENABLE_STATISTICS: "false"
KEYCLOAK_HTTP_PORT: "8080"
KEYCLOAK_LOG_LEVEL: INFO
KEYCLOAK_LOG_OUTPUT: default
KEYCLOAK_PRODUCTION: "true"
KEYCLOAK_PROXY_HEADERS: xforwarded
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/version: 26.2.5
helm.sh/chart: keycloak-24.7.3
name: keycloak-env-vars
namespace: keycloak
---
apiVersion: v1
data:
admin-password: bUpoNExmSGVYNg==
kind: Secret
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/version: 26.2.5
helm.sh/chart: keycloak-24.7.3
name: keycloak
namespace: keycloak
type: Opaque
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/version: 26.2.5
helm.sh/chart: keycloak-24.7.3
name: keycloak
namespace: keycloak
spec:
ports:
- name: http
nodePort: null
port: 80
protocol: TCP
targetPort: http
selector:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak
sessionAffinity: None
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/version: 26.2.5
helm.sh/chart: keycloak-24.7.3
name: keycloak-headless
namespace: keycloak
spec:
clusterIP: None
ports:
- name: http
port: 8080
protocol: TCP
targetPort: http
publishNotReadyAddresses: true
selector:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: primary
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: postgresql
app.kubernetes.io/version: 17.4.0
helm.sh/chart: postgresql-16.6.6
name: keycloak-postgresql
namespace: keycloak
spec:
ports:
- name: tcp-postgresql
nodePort: null
port: 5432
targetPort: tcp-postgresql
selector:
app.kubernetes.io/component: primary
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: postgresql
sessionAffinity: None
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: primary
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: postgresql
app.kubernetes.io/version: 17.4.0
helm.sh/chart: postgresql-16.6.6
name: keycloak-postgresql-hl
namespace: keycloak
spec:
clusterIP: None
ports:
- name: tcp-postgresql
port: 5432
targetPort: tcp-postgresql
publishNotReadyAddresses: true
selector:
app.kubernetes.io/component: primary
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: postgresql
type: ClusterIP
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/version: 26.2.5
helm.sh/chart: keycloak-24.7.3
name: keycloak
namespace: keycloak
spec:
podManagementPolicy: Parallel
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak
serviceName: keycloak-headless
template:
metadata:
annotations:
checksum/configmap-env-vars: 7ed8e56f444615469aa0ea38e604cc7c913c1dd874dcfc7e5dac178b777f2633
checksum/secrets: b428291160dc82579b5eda80498f0ba89b4f09a208dc79f651436cd046dee6d7
labels:
app.kubernetes.io/app-version: 26.2.5
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/version: 26.2.5
helm.sh/chart: keycloak-24.7.3
spec:
affinity:
nodeAffinity: null
podAffinity: null
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak
topologyKey: kubernetes.io/hostname
weight: 1
automountServiceAccountToken: true
containers:
- env:
- name: KUBERNETES_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: BITNAMI_DEBUG
value: "false"
- name: KC_BOOTSTRAP_ADMIN_PASSWORD_FILE
value: /opt/bitnami/keycloak/secrets/admin-password
- name: KEYCLOAK_DATABASE_PASSWORD_FILE
value: /opt/bitnami/keycloak/secrets/db-db-pass
- name: KEYCLOAK_HTTP_RELATIVE_PATH
value: /
- name: KC_SPI_ADMIN_REALM
value: master
envFrom:
- configMapRef:
name: keycloak-env-vars
image: docker.io/bitnami/keycloak:26.2.5-debian-12-r1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 300
periodSeconds: 1
successThreshold: 1
tcpSocket:
port: http
timeoutSeconds: 5
name: keycloak
ports:
- containerPort: 8080
name: http
protocol: TCP
- containerPort: 7800
name: discovery
readinessProbe:
failureThreshold: 3
httpGet:
path: /realms/master
port: http
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: 750m
ephemeral-storage: 2Gi
memory: 768Mi
requests:
cpu: 500m
ephemeral-storage: 50Mi
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seLinuxOptions: {}
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /tmp
name: empty-dir
subPath: tmp-dir
- mountPath: /bitnami/keycloak
name: empty-dir
subPath: app-volume-dir
- mountPath: /opt/bitnami/keycloak/conf
name: empty-dir
subPath: app-conf-dir
- mountPath: /opt/bitnami/keycloak/lib/quarkus
name: empty-dir
subPath: app-quarkus-dir
- mountPath: /opt/bitnami/keycloak/data
name: empty-dir
subPath: app-data-dir
- mountPath: /opt/bitnami/keycloak/providers
name: empty-dir
subPath: app-providers-dir
- mountPath: /opt/bitnami/keycloak/themes
name: empty-dir
subPath: app-themes-dir
- mountPath: /opt/bitnami/keycloak/secrets
name: keycloak-secrets
enableServiceLinks: true
initContainers:
- args:
- -ec
- |
. /opt/bitnami/scripts/liblog.sh
info "Copying writable dirs to empty dir"
# In order to not break the application functionality we need to make some
# directories writable, so we need to copy it to an empty dir volume
cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/lib/quarkus /emptydir/app-quarkus-dir
cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/data /emptydir/app-data-dir
cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/providers /emptydir/app-providers-dir
cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/themes /emptydir/app-themes-dir
info "Copy operation completed"
command:
- /bin/bash
image: docker.io/bitnami/keycloak:26.2.5-debian-12-r1
imagePullPolicy: IfNotPresent
name: prepare-write-dirs
resources:
limits:
cpu: 750m
ephemeral-storage: 2Gi
memory: 768Mi
requests:
cpu: 500m
ephemeral-storage: 50Mi
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seLinuxOptions: {}
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /emptydir
name: empty-dir
securityContext:
fsGroup: 1001
fsGroupChangePolicy: Always
supplementalGroups: []
sysctls: []
serviceAccountName: keycloak
volumes:
- emptyDir: {}
name: empty-dir
- name: keycloak-secrets
projected:
sources:
- secret:
name: keycloak
- secret:
items:
- key: db-pass
path: db-db-pass
name: keycloak
updateStrategy:
rollingUpdate: {}
type: RollingUpdate
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app.kubernetes.io/component: primary
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: postgresql
app.kubernetes.io/version: 17.4.0
helm.sh/chart: postgresql-16.6.6
name: keycloak-postgresql
namespace: keycloak
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: primary
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: postgresql
serviceName: keycloak-postgresql-hl
template:
metadata:
labels:
app.kubernetes.io/component: primary
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: postgresql
app.kubernetes.io/version: 17.4.0
helm.sh/chart: postgresql-16.6.6
name: keycloak-postgresql
spec:
affinity:
nodeAffinity: null
podAffinity: null
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/component: primary
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: postgresql
topologyKey: kubernetes.io/hostname
weight: 1
automountServiceAccountToken: false
containers:
- env:
- name: BITNAMI_DEBUG
value: "false"
- name: POSTGRESQL_PORT_NUMBER
value: "5432"
- name: POSTGRESQL_VOLUME_DIR
value: /bitnami/postgresql
- name: PGDATA
value: /bitnami/postgresql/data
- name: POSTGRES_USER
value: keycloak
- name: POSTGRES_PASSWORD_FILE
value: /opt/bitnami/postgresql/secrets/db-pass
- name: POSTGRES_POSTGRES_PASSWORD_FILE
value: /opt/bitnami/postgresql/secrets/postgres-password
- name: POSTGRES_DATABASE
value: keycloak
- name: POSTGRESQL_ENABLE_LDAP
value: "no"
- name: POSTGRESQL_ENABLE_TLS
value: "no"
- name: POSTGRESQL_LOG_HOSTNAME
value: "false"
- name: POSTGRESQL_LOG_CONNECTIONS
value: "false"
- name: POSTGRESQL_LOG_DISCONNECTIONS
value: "false"
- name: POSTGRESQL_PGAUDIT_LOG_CATALOG
value: "off"
- name: POSTGRESQL_CLIENT_MIN_MESSAGES
value: error
- name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES
value: pgaudit
image: docker.io/bitnami/postgresql:16.6.0-debian-12-r2
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /bin/sh
- -c
- exec pg_isready -U "keycloak" -d "dbname=keycloak" -h 127.0.0.1 -p 5432
failureThreshold: 6
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: postgresql
ports:
- containerPort: 5432
name: tcp-postgresql
readinessProbe:
exec:
command:
- /bin/sh
- -c
- -e
- |
exec pg_isready -U "keycloak" -d "dbname=keycloak" -h 127.0.0.1 -p 5432
[ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ]
failureThreshold: 6
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources:
limits:
cpu: 150m
ephemeral-storage: 2Gi
memory: 192Mi
requests:
cpu: 100m
ephemeral-storage: 50Mi
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seLinuxOptions: {}
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /tmp
name: empty-dir
subPath: tmp-dir
- mountPath: /opt/bitnami/postgresql/conf
name: empty-dir
subPath: app-conf-dir
- mountPath: /opt/bitnami/postgresql/tmp
name: empty-dir
subPath: app-tmp-dir
- mountPath: /opt/bitnami/postgresql/secrets/
name: postgresql-password
- mountPath: /dev/shm
name: dshm
- mountPath: /bitnami/postgresql
name: data
hostIPC: false
hostNetwork: false
securityContext:
fsGroup: 1001
fsGroupChangePolicy: Always
supplementalGroups: []
sysctls: []
serviceAccountName: keycloak-postgresql
volumes:
- emptyDir: {}
name: empty-dir
- name: postgresql-password
secret:
secretName: keycloak
- emptyDir:
medium: Memory
name: dshm
updateStrategy:
rollingUpdate: {}
type: RollingUpdate
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 8Gi
storageClassName: openebs-3-replicas
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/version: 26.2.5
helm.sh/chart: keycloak-24.7.3
name: keycloak
namespace: keycloak
spec:
maxUnavailable: 1
selector:
matchLabels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
labels:
app.kubernetes.io/component: primary
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: postgresql
app.kubernetes.io/version: 17.4.0
helm.sh/chart: postgresql-16.6.6
name: keycloak-postgresql
namespace: keycloak
spec:
maxUnavailable: 1
selector:
matchLabels:
app.kubernetes.io/component: primary
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: postgresql
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/version: 26.2.5
helm.sh/chart: keycloak-24.7.3
name: keycloak
namespace: keycloak
spec:
egress:
- {}
ingress:
- ports:
- port: 7800
- port: 8080
podSelector:
matchLabels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: primary
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: postgresql
app.kubernetes.io/version: 17.4.0
helm.sh/chart: postgresql-16.6.6
name: keycloak-postgresql
namespace: keycloak
spec:
egress:
- {}
ingress:
- ports:
- port: 5432
podSelector:
matchLabels:
app.kubernetes.io/component: primary
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: postgresql
policyTypes:
- Ingress
- Egress

12
keycloak/src/kustomization.yaml Normal file
View File

@@ -0,0 +1,12 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
helmCharts:
- name: keycloak
repo: https://charts.bitnami.com/bitnami
version: 24.7.3
releaseName: keycloak
includeCRDs: true
namespace: keycloak
valuesFile: values.yaml

1411
keycloak/src/values.yaml Normal file
View File

File diff suppressed because it is too large Load Diff