diff --git a/keycloak/main.yaml b/keycloak/main.yaml index f51d88e..320a236 100644 --- a/keycloak/main.yaml +++ b/keycloak/main.yaml @@ -14,19 +14,6 @@ metadata: namespace: keycloak --- apiVersion: v1 -automountServiceAccountToken: false -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/instance: keycloak - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 17.6.0 - helm.sh/chart: postgresql-16.7.26 - name: keycloak-postgresql - namespace: keycloak ---- -apiVersion: v1 data: BITNAMI_DEBUG: "false" JAVA_OPTS_APPEND: -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local @@ -35,10 +22,10 @@ data: KC_CACHE: ispn KC_CACHE_CONFIG_FILE: cache-ispn.xml KC_CACHE_STACK: jdbc-ping - KC_DB_PASSWORD_FILE: /opt/bitnami/keycloak/secrets/db-db-pass + KC_DB_PASSWORD_FILE: /opt/bitnami/keycloak/secrets/db-password KC_DB_SCHEMA: public - KC_DB_URL: jdbc:postgresql://keycloak-postgresql:5432/keycloak?currentSchema=public - KC_DB_USERNAME: keycloak + KC_DB_URL: jdbc:postgresql://cnpg-keycloak-cluster-rw:5432/keycloak?currentSchema=public + KC_DB_USERNAME_FILE: /opt/bitnami/keycloak/secrets/db-user KC_HTTP_ENABLED: "true" KC_HTTP_MANAGEMENT_PORT: "9000" KC_HTTP_PORT: "8080" @@ -118,56 +105,6 @@ spec: app.kubernetes.io/part-of: keycloak type: ClusterIP --- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: primary - app.kubernetes.io/instance: keycloak - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 17.6.0 - helm.sh/chart: postgresql-16.7.26 - name: keycloak-postgresql - namespace: keycloak -spec: - ports: - - name: tcp-postgresql - nodePort: null - port: 5432 - targetPort: tcp-postgresql - selector: - app.kubernetes.io/component: primary - app.kubernetes.io/instance: keycloak - app.kubernetes.io/name: postgresql - sessionAffinity: None - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: primary - app.kubernetes.io/instance: keycloak - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 17.6.0 - helm.sh/chart: postgresql-16.7.26 - name: keycloak-postgresql-hl - namespace: keycloak -spec: - clusterIP: None - ports: - - name: tcp-postgresql - port: 5432 - targetPort: tcp-postgresql - publishNotReadyAddresses: true - selector: - app.kubernetes.io/component: primary - app.kubernetes.io/instance: keycloak - app.kubernetes.io/name: postgresql - type: ClusterIP ---- apiVersion: apps/v1 kind: StatefulSet metadata: @@ -195,7 +132,7 @@ spec: template: metadata: annotations: - checksum/configmap-env-vars: 4a230a1393ed715c878d1636fa21ac2aa5b475c9be310474ed9a3fc22ea1da37 + checksum/configmap-env-vars: 498a12f8777f12d59d6882fb3d91d07e42a62033c17e3ded6aa2ee0ddeb71b9b labels: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak @@ -363,193 +300,14 @@ spec: name: keycloak - secret: items: - - key: db-pass - path: db-db-pass - name: keycloak + - key: password + path: db-password + - key: user + path: db-user + name: cnpg-keycloak-cluster-app updateStrategy: type: RollingUpdate --- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - labels: - app.kubernetes.io/component: primary - app.kubernetes.io/instance: keycloak - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 17.6.0 - helm.sh/chart: postgresql-16.7.26 - name: keycloak-postgresql - namespace: keycloak -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/component: primary - app.kubernetes.io/instance: keycloak - app.kubernetes.io/name: postgresql - serviceName: keycloak-postgresql-hl - template: - metadata: - labels: - app.kubernetes.io/component: primary - app.kubernetes.io/instance: keycloak - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 17.6.0 - helm.sh/chart: postgresql-16.7.26 - name: keycloak-postgresql - spec: - affinity: - nodeAffinity: null - podAffinity: null - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/component: primary - app.kubernetes.io/instance: keycloak - app.kubernetes.io/name: postgresql - topologyKey: kubernetes.io/hostname - weight: 1 - automountServiceAccountToken: false - containers: - - env: - - name: BITNAMI_DEBUG - value: "false" - - name: POSTGRESQL_PORT_NUMBER - value: "5432" - - name: POSTGRESQL_VOLUME_DIR - value: /bitnami/postgresql - - name: PGDATA - value: /bitnami/postgresql/data - - name: POSTGRES_USER - value: keycloak - - name: POSTGRES_PASSWORD_FILE - value: /opt/bitnami/postgresql/secrets/db-pass - - name: POSTGRES_POSTGRES_PASSWORD_FILE - value: /opt/bitnami/postgresql/secrets/postgres-password - - name: POSTGRES_DATABASE - value: keycloak - - name: POSTGRESQL_ENABLE_LDAP - value: "no" - - name: POSTGRESQL_ENABLE_TLS - value: "no" - - name: POSTGRESQL_LOG_HOSTNAME - value: "false" - - name: POSTGRESQL_LOG_CONNECTIONS - value: "false" - - name: POSTGRESQL_LOG_DISCONNECTIONS - value: "false" - - name: POSTGRESQL_PGAUDIT_LOG_CATALOG - value: "off" - - name: POSTGRESQL_CLIENT_MIN_MESSAGES - value: error - - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES - value: pgaudit - image: docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r4 - imagePullPolicy: IfNotPresent - livenessProbe: - exec: - command: - - /bin/sh - - -c - - exec pg_isready -U "keycloak" -d "dbname=keycloak" -h 127.0.0.1 -p 5432 - failureThreshold: 6 - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - name: postgresql - ports: - - containerPort: 5432 - name: tcp-postgresql - readinessProbe: - exec: - command: - - /bin/sh - - -c - - -e - - | - exec pg_isready -U "keycloak" -d "dbname=keycloak" -h 127.0.0.1 -p 5432 - [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] - failureThreshold: 6 - initialDelaySeconds: 5 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - resources: - limits: - cpu: 150m - ephemeral-storage: 2Gi - memory: 192Mi - requests: - cpu: 100m - ephemeral-storage: 50Mi - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1001 - runAsNonRoot: true - runAsUser: 1001 - seLinuxOptions: {} - seccompProfile: - type: RuntimeDefault - volumeMounts: - - mountPath: /tmp - name: empty-dir - subPath: tmp-dir - - mountPath: /opt/bitnami/postgresql/conf - name: empty-dir - subPath: app-conf-dir - - mountPath: /opt/bitnami/postgresql/tmp - name: empty-dir - subPath: app-tmp-dir - - mountPath: /opt/bitnami/postgresql/secrets/ - name: postgresql-password - - mountPath: /dev/shm - name: dshm - - mountPath: /bitnami/postgresql - name: data - hostIPC: false - hostNetwork: false - securityContext: - fsGroup: 1001 - fsGroupChangePolicy: Always - supplementalGroups: [] - sysctls: [] - serviceAccountName: keycloak-postgresql - volumes: - - emptyDir: {} - name: empty-dir - - name: postgresql-password - secret: - secretName: keycloak - - emptyDir: - medium: Memory - name: dshm - updateStrategy: - rollingUpdate: {} - type: RollingUpdate - volumeClaimTemplates: - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 8Gi - storageClassName: openebs-3-replicas ---- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: @@ -572,26 +330,6 @@ spec: app.kubernetes.io/name: keycloak app.kubernetes.io/part-of: keycloak --- -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - labels: - app.kubernetes.io/component: primary - app.kubernetes.io/instance: keycloak - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 17.6.0 - helm.sh/chart: postgresql-16.7.26 - name: keycloak-postgresql - namespace: keycloak -spec: - maxUnavailable: 1 - selector: - matchLabels: - app.kubernetes.io/component: primary - app.kubernetes.io/instance: keycloak - app.kubernetes.io/name: postgresql ---- apiVersion: batch/v1 kind: Job metadata: @@ -667,33 +405,6 @@ spec: - Ingress - Egress --- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - labels: - app.kubernetes.io/component: primary - app.kubernetes.io/instance: keycloak - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 17.6.0 - helm.sh/chart: postgresql-16.7.26 - name: keycloak-postgresql - namespace: keycloak -spec: - egress: - - {} - ingress: - - ports: - - port: 5432 - podSelector: - matchLabels: - app.kubernetes.io/component: primary - app.kubernetes.io/instance: keycloak - app.kubernetes.io/name: postgresql - policyTypes: - - Ingress - - Egress ---- apiVersion: postgresql.cnpg.io/v1 kind: Cluster metadata: diff --git a/keycloak/src/values.yaml b/keycloak/src/values.yaml index 28dad34..5c94b45 100644 --- a/keycloak/src/values.yaml +++ b/keycloak/src/values.yaml @@ -1257,7 +1257,7 @@ defaultInitContainers: ## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`) ## postgresql: - enabled: true + enabled: false image: repository: bitnamilegacy/postgresql tag: 17.6.0-debian-12-r4 @@ -1292,14 +1292,14 @@ postgresql: ## @param externalDatabase.extraParams Additional JDBC connection parameters appended to the JDBC URL (KC_DB_URL). ## externalDatabase: - host: "" + host: cnpg-keycloak-cluster-rw port: 5432 user: bn_keycloak - database: bitnami_keycloak + database: keycloak schema: public password: "" - existingSecret: "" - existingSecretUserKey: "" - existingSecretPasswordKey: "" + existingSecret: cnpg-keycloak-cluster-app + existingSecretUserKey: user + existingSecretPasswordKey: password annotations: {} extraParams: ""