diff --git a/keycloak/main.yaml b/keycloak/main.yaml index e789876..d02a3d8 100644 --- a/keycloak/main.yaml +++ b/keycloak/main.yaml @@ -1,5 +1,5 @@ apiVersion: v1 -automountServiceAccountToken: false +automountServiceAccountToken: true kind: ServiceAccount metadata: labels: @@ -7,8 +7,9 @@ metadata: app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak - app.kubernetes.io/version: 26.2.5 - helm.sh/chart: keycloak-24.7.3 + app.kubernetes.io/part-of: keycloak + app.kubernetes.io/version: 26.3.3 + helm.sh/chart: keycloak-25.2.0 name: keycloak namespace: keycloak --- @@ -20,29 +21,34 @@ metadata: app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 17.4.0 - helm.sh/chart: postgresql-16.6.6 + app.kubernetes.io/version: 17.6.0 + helm.sh/chart: postgresql-16.7.26 name: keycloak-postgresql namespace: keycloak --- apiVersion: v1 data: + BITNAMI_DEBUG: "false" JAVA_OPTS_APPEND: -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local + KC_BOOTSTRAP_ADMIN_PASSWORD_FILE: /opt/bitnami/keycloak/secrets/admin-password KC_BOOTSTRAP_ADMIN_USERNAME: user + KC_CACHE: ispn KC_CACHE_CONFIG_FILE: cache-ispn.xml - KC_CACHE_STACK: kubernetes - KC_CACHE_TYPE: ispn - KEYCLOAK_DATABASE_HOST: keycloak-postgresql - KEYCLOAK_DATABASE_NAME: keycloak - KEYCLOAK_DATABASE_PORT: "5432" - KEYCLOAK_DATABASE_USER: keycloak - KEYCLOAK_ENABLE_HTTPS: "false" - KEYCLOAK_ENABLE_STATISTICS: "false" - KEYCLOAK_HTTP_PORT: "8080" - KEYCLOAK_LOG_LEVEL: INFO - KEYCLOAK_LOG_OUTPUT: default + KC_CACHE_STACK: jdbc-ping + KC_DB_PASSWORD_FILE: /opt/bitnami/keycloak/secrets/db-db-pass + KC_DB_SCHEMA: public + KC_DB_URL: jdbc:postgresql://keycloak-postgresql:5432/keycloak?currentSchema=public + KC_DB_USERNAME: keycloak + KC_HTTP_ENABLED: "true" + KC_HTTP_MANAGEMENT_PORT: "9000" + KC_HTTP_PORT: "8080" + KC_HTTP_RELATIVE_PATH: / + KC_LOG_CONSOLE_OUTPUT: default + KC_LOG_LEVEL: INFO + KC_METRICS_ENABLED: "false" + KC_PROXY_HEADERS: xforwarded + KC_SPI_ADMIN_REALM: master KEYCLOAK_PRODUCTION: "true" - KEYCLOAK_PROXY_HEADERS: xforwarded kind: ConfigMap metadata: labels: @@ -50,8 +56,9 @@ metadata: app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak - app.kubernetes.io/version: 26.2.5 - helm.sh/chart: keycloak-24.7.3 + app.kubernetes.io/part-of: keycloak + app.kubernetes.io/version: 26.3.3 + helm.sh/chart: keycloak-25.2.0 name: keycloak-env-vars namespace: keycloak --- @@ -63,8 +70,9 @@ metadata: app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak - app.kubernetes.io/version: 26.2.5 - helm.sh/chart: keycloak-24.7.3 + app.kubernetes.io/part-of: keycloak + app.kubernetes.io/version: 26.3.3 + helm.sh/chart: keycloak-25.2.0 name: keycloak namespace: keycloak spec: @@ -78,6 +86,7 @@ spec: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/name: keycloak + app.kubernetes.io/part-of: keycloak sessionAffinity: None type: ClusterIP --- @@ -89,8 +98,9 @@ metadata: app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak - app.kubernetes.io/version: 26.2.5 - helm.sh/chart: keycloak-24.7.3 + app.kubernetes.io/part-of: keycloak + app.kubernetes.io/version: 26.3.3 + helm.sh/chart: keycloak-25.2.0 name: keycloak-headless namespace: keycloak spec: @@ -105,6 +115,7 @@ spec: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/name: keycloak + app.kubernetes.io/part-of: keycloak type: ClusterIP --- apiVersion: v1 @@ -115,8 +126,8 @@ metadata: app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 17.4.0 - helm.sh/chart: postgresql-16.6.6 + app.kubernetes.io/version: 17.6.0 + helm.sh/chart: postgresql-16.7.26 name: keycloak-postgresql namespace: keycloak spec: @@ -140,8 +151,8 @@ metadata: app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 17.4.0 - helm.sh/chart: postgresql-16.6.6 + app.kubernetes.io/version: 17.6.0 + helm.sh/chart: postgresql-16.7.26 name: keycloak-postgresql-hl namespace: keycloak spec: @@ -165,8 +176,9 @@ metadata: app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak - app.kubernetes.io/version: 26.2.5 - helm.sh/chart: keycloak-24.7.3 + app.kubernetes.io/part-of: keycloak + app.kubernetes.io/version: 26.3.3 + helm.sh/chart: keycloak-25.2.0 name: keycloak namespace: keycloak spec: @@ -178,19 +190,20 @@ spec: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/name: keycloak + app.kubernetes.io/part-of: keycloak serviceName: keycloak-headless template: metadata: annotations: - checksum/configmap-env-vars: 7ed8e56f444615469aa0ea38e604cc7c913c1dd874dcfc7e5dac178b777f2633 + checksum/configmap-env-vars: 4a230a1393ed715c878d1636fa21ac2aa5b475c9be310474ed9a3fc22ea1da37 labels: - app.kubernetes.io/app-version: 26.2.5 app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak - app.kubernetes.io/version: 26.2.5 - helm.sh/chart: keycloak-24.7.3 + app.kubernetes.io/part-of: keycloak + app.kubernetes.io/version: 26.3.3 + helm.sh/chart: keycloak-25.2.0 spec: affinity: nodeAffinity: null @@ -200,6 +213,7 @@ spec: - podAffinityTerm: labelSelector: matchLabels: + app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/name: keycloak topologyKey: kubernetes.io/hostname @@ -212,24 +226,14 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - - name: BITNAMI_DEBUG - value: "false" - - name: KC_BOOTSTRAP_ADMIN_PASSWORD_FILE - value: /opt/bitnami/keycloak/secrets/admin-password - - name: KEYCLOAK_DATABASE_PASSWORD_FILE - value: /opt/bitnami/keycloak/secrets/db-db-pass - - name: KEYCLOAK_HTTP_RELATIVE_PATH - value: / - - name: KC_SPI_ADMIN_REALM - value: master envFrom: - configMapRef: name: keycloak-env-vars - image: docker.io/bitnami/keycloak:26.2.5-debian-12-r1 + image: docker.io/bitnami/keycloak:26.3.3-debian-12-r0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 - initialDelaySeconds: 300 + initialDelaySeconds: 120 periodSeconds: 1 successThreshold: 1 tcpSocket: @@ -247,6 +251,7 @@ spec: httpGet: path: /realms/master port: http + scheme: HTTP initialDelaySeconds: 30 periodSeconds: 10 successThreshold: 1 @@ -314,18 +319,18 @@ spec: info "Copy operation completed" command: - /bin/bash - image: docker.io/bitnami/keycloak:26.2.5-debian-12-r1 + image: docker.io/bitnami/keycloak:26.3.3-debian-12-r0 imagePullPolicy: IfNotPresent name: prepare-write-dirs resources: limits: - cpu: 750m + cpu: 150m ephemeral-storage: 2Gi - memory: 768Mi + memory: 192Mi requests: - cpu: 500m + cpu: 100m ephemeral-storage: 50Mi - memory: 512Mi + memory: 128Mi securityContext: allowPrivilegeEscalation: false capabilities: @@ -362,7 +367,6 @@ spec: path: db-db-pass name: keycloak updateStrategy: - rollingUpdate: {} type: RollingUpdate --- apiVersion: apps/v1 @@ -373,8 +377,8 @@ metadata: app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 17.4.0 - helm.sh/chart: postgresql-16.6.6 + app.kubernetes.io/version: 17.6.0 + helm.sh/chart: postgresql-16.7.26 name: keycloak-postgresql namespace: keycloak spec: @@ -392,8 +396,8 @@ spec: app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 17.4.0 - helm.sh/chart: postgresql-16.6.6 + app.kubernetes.io/version: 17.6.0 + helm.sh/chart: postgresql-16.7.26 name: keycloak-postgresql spec: affinity: @@ -444,7 +448,7 @@ spec: value: error - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES value: pgaudit - image: docker.io/bitnami/postgresql:16.6.0-debian-12-r2 + image: docker.io/bitnami/postgresql:17.6.0-debian-12-r0 imagePullPolicy: IfNotPresent livenessProbe: exec: @@ -554,8 +558,9 @@ metadata: app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak - app.kubernetes.io/version: 26.2.5 - helm.sh/chart: keycloak-24.7.3 + app.kubernetes.io/part-of: keycloak + app.kubernetes.io/version: 26.3.3 + helm.sh/chart: keycloak-25.2.0 name: keycloak namespace: keycloak spec: @@ -565,6 +570,7 @@ spec: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/name: keycloak + app.kubernetes.io/part-of: keycloak --- apiVersion: policy/v1 kind: PodDisruptionBudget @@ -574,8 +580,8 @@ metadata: app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 17.4.0 - helm.sh/chart: postgresql-16.6.6 + app.kubernetes.io/version: 17.6.0 + helm.sh/chart: postgresql-16.7.26 name: keycloak-postgresql namespace: keycloak spec: @@ -594,8 +600,9 @@ metadata: app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak - app.kubernetes.io/version: 26.2.5 - helm.sh/chart: keycloak-24.7.3 + app.kubernetes.io/part-of: keycloak + app.kubernetes.io/version: 26.3.3 + helm.sh/chart: keycloak-25.2.0 name: keycloak namespace: keycloak spec: @@ -603,13 +610,14 @@ spec: - {} ingress: - ports: - - port: 7800 - port: 8080 + - port: 7800 podSelector: matchLabels: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/name: keycloak + app.kubernetes.io/part-of: keycloak policyTypes: - Ingress - Egress @@ -622,8 +630,8 @@ metadata: app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: postgresql - app.kubernetes.io/version: 17.4.0 - helm.sh/chart: postgresql-16.6.6 + app.kubernetes.io/version: 17.6.0 + helm.sh/chart: postgresql-16.7.26 name: keycloak-postgresql namespace: keycloak spec: diff --git a/keycloak/src/kustomization.yaml b/keycloak/src/kustomization.yaml index 85ec037..b56aa69 100644 --- a/keycloak/src/kustomization.yaml +++ b/keycloak/src/kustomization.yaml @@ -5,7 +5,7 @@ kind: Kustomization helmCharts: - name: keycloak repo: https://charts.bitnami.com/bitnami - version: 24.7.3 + version: 25.2.0 releaseName: keycloak includeCRDs: true namespace: keycloak diff --git a/keycloak/src/values.yaml b/keycloak/src/values.yaml index c0676cc..115d084 100644 --- a/keycloak/src/values.yaml +++ b/keycloak/src/values.yaml @@ -2,46 +2,44 @@ # SPDX-License-Identifier: APACHE-2.0 ## @section Global parameters -## Global Docker image parameters -## Please, note that this will override the image parameters, including dependencies, configured to use the global value -## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass -## -## @param global.imageRegistry Global Docker image registry -## @param global.imagePullSecrets Global Docker registry secret names as an array -## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) -## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead -## global: - imageRegistry: "" - ## E.g. - ## imagePullSecrets: - ## - myRegistryKeySecretName + ## Global Docker image parameters + ## Please, note that this will override the image parameters, including dependencies, configured to use the global value + ## @param global.imageRegistry Global Docker Image registry + ## @param global.imagePullSecrets Global Docker registry secret names as an array ## + imageRegistry: "" imagePullSecrets: [] + ## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) + ## defaultStorageClass: "" - storageClass: "" ## Security parameters + ## @param global.security.allowInsecureImages Allows skipping image verification ## security: - ## @param global.security.allowInsecureImages Allows skipping image verification allowInsecureImages: false ## Compatibility adaptations for Kubernetes platforms ## compatibility: ## Compatibility adaptations for Openshift + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ## openshift: - ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) - ## adaptSecurityContext: auto -## @section Common parameters -## + ## @param global.compatibility.omitEmptySeLinuxOptions If set to true, removes the seLinuxOptions from the securityContexts when it is set to an empty object + ## + omitEmptySeLinuxOptions: false -## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## @section Common parameters + +## @param kubeVersion Override Kubernetes version reported by .Capabilities ## kubeVersion: "" -## @param nameOverride String to partially override common.names.fullname +## @param apiVersions Override Kubernetes API versions reported by .Capabilities +## +apiVersions: [] +## @param nameOverride String to partially override common.names.name ## nameOverride: "" ## @param fullnameOverride String to fully override common.names.fullname @@ -53,49 +51,33 @@ namespaceOverride: "" ## @param commonLabels Labels to add to all deployed objects ## commonLabels: {} -## @param enableServiceLinks If set to false, disable Kubernetes service links in the pod spec -## Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service -## -enableServiceLinks: true ## @param commonAnnotations Annotations to add to all deployed objects ## commonAnnotations: {} -## @param dnsPolicy DNS Policy for pod -## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ -## E.g. -## dnsPolicy: ClusterFirst -dnsPolicy: "" -## @param dnsConfig DNS Configuration pod -## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ -## E.g. -## dnsConfig: -## options: -## - name: ndots -## value: "4" -dnsConfig: {} ## @param clusterDomain Default Kubernetes cluster domain ## clusterDomain: cluster.local ## @param extraDeploy Array of extra objects to deploy with the release ## extraDeploy: [] +## Diagnostic mode +## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) +## @param diagnosticMode.command Command to override all containers in the chart release +## @param diagnosticMode.args Args to override all containers in the chart release +## +diagnosticMode: + enabled: false + command: + - sleep + args: + - infinity +## @param useHelmHooks Enable use of Helm hooks if needed, e.g. on post-install jobs +## +useHelmHooks: true ## @param usePasswordFiles Mount credentials as files instead of using environment variables ## usePasswordFiles: true -## Enable diagnostic mode in the statefulset -## -diagnosticMode: - ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) - ## - enabled: false - ## @param diagnosticMode.command Command to override all containers in the the statefulset - ## - command: - - sleep - ## @param diagnosticMode.args Args to override all containers in the the statefulset - ## - args: - - infinity + ## @section Keycloak parameters ## Bitnami Keycloak image version @@ -105,28 +87,25 @@ diagnosticMode: ## @skip image.tag Keycloak image tag (immutable tags are recommended) ## @param image.digest Keycloak image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag ## @param image.pullPolicy Keycloak image pull policy -## @param image.pullSecrets Specify docker-registry secret names as an array -## @param image.debug Specify if debug logs should be enabled +## @param image.pullSecrets Keycloak image pull secrets +## @param image.debug Enable Keycloak image debug mode ## image: registry: docker.io repository: bitnami/keycloak - tag: 26.2.5-debian-12-r1 + tag: 26.3.3-debian-12-r0 digest: "" ## Specify a imagePullPolicy ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ## pullPolicy: IfNotPresent - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## Example: + ## e.g: ## pullSecrets: ## - myRegistryKeySecretName ## pullSecrets: [] - ## Set to true if you would like to see extra information on logs - ## debug: false ## Keycloak authentication parameters ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#admin-credentials @@ -147,98 +126,102 @@ auth: ## @param auth.annotations Additional custom annotations for Keycloak auth secret object ## annotations: {} -## Custom Certificates -## @param customCaExistingSecret Name of the secret containing the Keycloak custom CA certificates. The secret will be mounted as a directory and configured using KC_TRUSTSTORE_PATHS. -## https://www.keycloak.org/server/keycloak-truststore -## Could be created like this: kubectl create secret generic secretName --from-file=./certificateToMerge.pem -customCaExistingSecret: "" +## @param production Run Keycloak in production mode. TLS configuration is required except when using proxy headers +## +production: true ## HTTPS settings -## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#tls-encryption +## +## @param tls.enabled Enable TLS in Keycloak +## @param tls.usePemCerts Use PEM certificates as input instead of PKS12/JKS stores +## @param tls.autoGenerated.enabled Enable automatic generation of TLS certificates +## @param tls.autoGenerated.engine Mechanism to generate the certificates (allowed values: helm, cert-manager) +## @param tls.autoGenerated.certManager.existingIssuer The name of an existing Issuer to use for generating the certificates (only for `cert-manager` engine) +## @param tls.autoGenerated.certManager.existingIssuerKind Existing Issuer kind, defaults to Issuer (only for `cert-manager` engine) +## @param tls.autoGenerated.certManager.keyAlgorithm Key algorithm for the certificates (only for `cert-manager` engine) +## @param tls.autoGenerated.certManager.keySize Key size for the certificates (only for `cert-manager` engine) +## @param tls.autoGenerated.certManager.duration Duration for the certificates (only for `cert-manager` engine) +## @param tls.autoGenerated.certManager.renewBefore Renewal period for the certificates (only for `cert-manager` engine) +## @param tls.existingSecret The name of an existing Secret containing the TLS certificates for Keycloak replicas +## @param tls.certFilename Certificate filename inside the existing secret (when tls.usePemCerts=true and tls.autoGenerated.enabled=false) +## @param tls.certKeyFilename Certificate key filename inside the existing secret (when tls.usePemCerts=true and tls.autoGenerated.enabled=false) +## @param tls.keystoreFilename Keystore filename inside the existing secret +## @param tls.truststoreFilename Truststore filename inside the existing secret +## @param tls.keystorePassword Password to access the keystore when it's password-protected +## @param tls.truststorePassword Password to access the truststore when it's password-protected +## @param tls.passwordsSecret The name of an existing Secret containing the keystore/truststore passwords (expected keys: `tls-keystore-password` and `tls-truststore-password`) ## tls: - ## @param tls.enabled Enable TLS encryption. Required for HTTPs traffic. - ## enabled: false - ## @param tls.autoGenerated Generate automatically self-signed TLS certificates. Currently only supports PEM certificates - ## - autoGenerated: false - ## @param tls.existingSecret Existing secret containing the TLS certificates per Keycloak replica + usePemCerts: false + autoGenerated: + enabled: true + engine: helm + certManager: + existingIssuer: "" + existingIssuerKind: "" + keySize: 2048 + keyAlgorithm: RSA + duration: 2160h + renewBefore: 360h ## Create this secret following the steps below: - ## 1) Generate your truststore and keystore files (more info at https://www.keycloak.org/docs/latest/server_installation/#_setting_up_ssl) - ## 2) Rename your truststore to `keycloak.truststore.jks` or use a different name overwriting the value 'tls.truststoreFilename'. - ## 3) Rename your keystores to `keycloak.keystore.jks` or use a different name overwriting the value 'tls.keystoreFilename'. + ## 1) Generate your truststore and keystore files (more info at https://www.keycloak.org/server/enabletls) + ## 2) Rename your truststore to `keycloak.truststore.jks` + ## 3) Rename your keystores to `keycloak.keystore.jks` ## 4) Run the command below where SECRET_NAME is the name of the secret you want to create: ## kubectl create secret generic SECRET_NAME --from-file=./keycloak.truststore.jks --from-file=./keycloak.keystore.jks - ## NOTE: If usePem enabled, make sure the PEM key and cert are named 'tls.key' and 'tls.crt' respectively. + ## NOTE: If tls.usePemCerts enabled, make sure the PEM key and cert are named 'tls.key' and 'tls.crt' respectively. ## existingSecret: "" - ## @param tls.usePem Use PEM certificates as input instead of PKS12/JKS stores - ## If "true", the Keycloak chart will look for the files tls.key and tls.crt inside the secret provided with 'existingSecret'. - ## - usePem: false - ## @param tls.truststoreFilename Truststore filename inside the existing secret - ## - truststoreFilename: "keycloak.truststore.jks" - ## @param tls.keystoreFilename Keystore filename inside the existing secret - ## + certFilename: "tls.crt" + certKeyFilename: "tls.key" keystoreFilename: "keycloak.keystore.jks" - ## @param tls.keystorePassword Password to access the keystore when it's password-protected - ## + truststoreFilename: "keycloak.truststore.jks" keystorePassword: "" - ## @param tls.truststorePassword Password to access the truststore when it's password-protected - ## truststorePassword: "" - ## @param tls.passwordsSecret Secret containing the Keystore and Truststore passwords. - ## The secret must have "tls-keystore-password" and "tls-truststore-password" keys for the keystore and truststore respectively. - ## passwordsSecret: "" -## SPI TLS settings +## @param trustedCertsExistingSecret Name of the existing Secret containing the trusted certificates to validate communications with external services ## ref: https://www.keycloak.org/server/keycloak-truststore ## -spi: - ## @param spi.existingSecret Existing secret containing the Keycloak truststore for SPI connection over HTTPS/TLS - ## Create this secret following the steps below: - ## 1) Rename your truststore to `keycloak-spi.truststore.jks` or use a different name overwriting the value 'spi.truststoreFilename'. - ## 2) Run the command below where SECRET_NAME is the name of the secret you want to create: - ## kubectl create secret generic SECRET_NAME --from-file=./keycloak-spi.truststore.jks --from-file=./keycloak.keystore.jks - ## - existingSecret: "" - ## @param spi.truststorePassword Password to access the truststore when it's password-protected - ## - truststorePassword: "" - ## @param spi.truststoreFilename Truststore filename inside the existing secret - ## - truststoreFilename: "keycloak-spi.truststore.jks" - ## @param spi.passwordsSecret Secret containing the SPI Truststore passwords. - ## The secret must have "spi-truststore-password" key. - ## - passwordsSecret: "" - ## @param spi.hostnameVerificationPolicy Verify the hostname of the server's certificate. Allowed values: "ANY", "WILDCARD", "STRICT". - ## - hostnameVerificationPolicy: "" +trustedCertsExistingSecret: "" ## @param adminRealm Name of the admin realm ## adminRealm: "master" -## @param production Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. -## -production: true ## @param proxyHeaders Set Keycloak proxy headers ## proxyHeaders: xforwarded -## @param proxy reverse Proxy mode edge, reencrypt, passthrough or none -## DEPRECATED: use proxyHeaders instead -## ref: https://www.keycloak.org/server/reverseproxy +## @param hostnameStrict Disables dynamically resolving the hostname from request headers (ignored if ingress.enabled is false). +## Should always be set to true in production, unless your reverse proxy overwrites the Host header. +## If enabled, the ingress.hostname option needs to be specified. ## -proxy: "" -## @param httpRelativePath Set the path relative to '/' for serving resources. Useful if you are migrating from older version which were using '/auth/' -## ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed +hostnameStrict: false +## @param httpEnabled Force enabling HTTP endpoint (by default is only enabled if TLS is disabled) +## +httpEnabled: false +## @param httpRelativePath Set the path relative to '/' for serving resources ## httpRelativePath: "/" -## Keycloak Service Discovery settings -## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#cluster-configuration +## Keycloak cache configuration +## ref: https://www.keycloak.org/server/caching +## @param cache.enabled Switch to enable or disable the Keycloak distributed cache for kubernetes. +## NOTE: Set to false to use 'local' cache (only supported when replicaCount=1). +## @param cache.stack Cache stack to use +## @param cache.configFile Path to the file from which cache configuration should be loaded from +## @param cache.useHeadlessServiceWithAppVersion Create a headless service used for ispn containing the app version ## +cache: + enabled: true + stack: jdbc-ping + configFile: "cache-ispn.xml" + useHeadlessServiceWithAppVersion: false +## Keycloak logging configuration +## ref: https://www.keycloak.org/server/logging +## @param logging.output Alternates between the default log output format or json format +## @param logging.level Allowed values as documented: FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL, OFF +## +logging: + output: default + level: INFO ## @param configuration Keycloak Configuration. Auto-generated based on other parameters when not specified -## Specify content for keycloak.conf ## NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart) ## The keycloak.conf is auto-generated based on other parameters when this parameter is not specified ## @@ -255,10 +238,6 @@ existingConfigmap: "" ## @param extraStartupArgs Extra default startup args ## extraStartupArgs: "" -## @param enableDefaultInitContainers Deploy default init containers -## Disable this parameter could be helpful for 3rd party images e.g native Keycloak image. -## -enableDefaultInitContainers: true ## @param initdbScripts Dictionary of initdb scripts ## Specify dictionary of scripts to be run at first boot ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#initializing-a-new-instance @@ -291,28 +270,21 @@ extraEnvVarsCM: "" ## @param extraEnvVarsSecret Name of existing Secret containing extra env vars ## extraEnvVarsSecret: "" -## @section Keycloak statefulset parameters - -## @param replicaCount Number of Keycloak replicas to deploy -## -replicaCount: 1 -## @param revisionHistoryLimitCount Number of controller revisions to keep -## -revisionHistoryLimitCount: 10 ## @param containerPorts.http Keycloak HTTP container port ## @param containerPorts.https Keycloak HTTPS container port -## @param containerPorts.metrics Keycloak metrics container port +## @param containerPorts.management Keycloak management container port ## containerPorts: http: 8080 https: 8443 - metrics: 9000 -## @param extraContainerPorts Optionally specify extra list of additional port-mappings for Keycloak container + management: 9000 +## @param extraContainerPorts Optionally specify extra list of additional ports for Keycloak container +## e.g: +## extraContainerPorts: +## - name: myservice +## containerPort: 9090 ## extraContainerPorts: [] -## @param statefulsetAnnotations Optionally add extra annotations on the statefulset resource -statefulsetAnnotations: {} -## ## Keycloak pods' SecurityContext ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param podSecurityContext.enabled Enabled Keycloak pods' Security Context @@ -381,7 +353,7 @@ resources: {} ## livenessProbe: enabled: true - initialDelaySeconds: 300 + initialDelaySeconds: 120 periodSeconds: 1 timeoutSeconds: 5 failureThreshold: 3 @@ -400,7 +372,6 @@ readinessProbe: timeoutSeconds: 1 failureThreshold: 3 successThreshold: 1 -## When enabling this, make sure to set initialDelaySeconds to 0 for livenessProbe and readinessProbe ## @param startupProbe.enabled Enable startupProbe on Keycloak containers ## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe ## @param startupProbe.periodSeconds Period seconds for startupProbe @@ -413,21 +384,40 @@ startupProbe: initialDelaySeconds: 30 periodSeconds: 5 timeoutSeconds: 1 - failureThreshold: 60 + failureThreshold: 10 successThreshold: 1 ## @param customLivenessProbe Custom Liveness probes for Keycloak ## customLivenessProbe: {} -## @param customReadinessProbe Custom Rediness probes Keycloak +## @param customReadinessProbe Custom Readiness probes Keycloak ## customReadinessProbe: {} ## @param customStartupProbe Custom Startup probes for Keycloak ## customStartupProbe: {} -## @param lifecycleHooks LifecycleHooks to set additional configuration at startup + +## @section Keycloak StatefulSet parameters + +## @param replicaCount Number of Keycloak replicas to deploy ## -lifecycleHooks: {} -## @param automountServiceAccountToken Mount Service Account token in pod +replicaCount: 1 +## @param updateStrategy.type Keycloak StatefulSet type +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## +updateStrategy: + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate +## @param revisionHistoryLimitCount Number of controller revisions to keep +## +revisionHistoryLimitCount: 10 +## @param minReadySeconds How many seconds a pod needs to be ready before killing the next, during update +## +minReadySeconds: 0 +## @param statefulsetAnnotations Optionally add extra annotations on the StatefulSet resource +## +statefulsetAnnotations: {} +## @param automountServiceAccountToken Mount Service Account token in Keycloak pods ## automountServiceAccountToken: true ## @param hostAliases Deployment pod host aliases @@ -485,7 +475,7 @@ tolerations: [] ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods ## topologySpreadConstraints: [] -## @param podManagementPolicy Pod management policy for the Keycloak statefulset +## @param podManagementPolicy Pod management policy for the Keycloak StatefulSet ## podManagementPolicy: Parallel ## @param priorityClassName Keycloak pods' Priority Class Name @@ -500,16 +490,19 @@ schedulerName: "" ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods ## terminationGracePeriodSeconds: "" -## @param updateStrategy.type Keycloak statefulset strategy type -## @param updateStrategy.rollingUpdate Keycloak statefulset rolling update configuration parameters -## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## @param lifecycleHooks LifecycleHooks to set additional configuration at startup ## -updateStrategy: - type: RollingUpdate - rollingUpdate: {} -## @param minReadySeconds How many seconds a pod needs to be ready before killing the next, during update +lifecycleHooks: {} +## @param dnsPolicy DNS Policy for pod +## @param dnsConfig DNS Configuration pod +## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ ## -minReadySeconds: 0 +dnsPolicy: "" +dnsConfig: {} +## @param enableServiceLinks If set to false, disable Kubernetes service links in the pod spec +## Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service +## +enableServiceLinks: true ## @param extraVolumes Optionally specify extra list of additional volumes for Keycloak pods ## extraVolumes: [] @@ -538,8 +531,8 @@ initContainers: [] ## containerPort: 1234 ## sidecars: [] -## @section Exposure parameters -## + +## @section Traffic Exposure Parameters ## Service configuration ## @@ -557,12 +550,17 @@ service: ports: http: 80 https: 443 - ## @param service.nodePorts [object] Specify the nodePort values for the LoadBalancer and NodePort service types. - ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## Node ports to expose + ## @param service.nodePorts.http Node port for HTTP + ## @param service.nodePorts.https Node port for HTTPS + ## NOTE: choose port between <30000-32767> ## nodePorts: http: "" https: "" + ## @param service.extraPorts Extra port to expose on Keycloak service + ## + extraPorts: [] ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin ## Values: ClientIP or None ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ @@ -597,13 +595,6 @@ service: ## @param service.annotations Additional custom annotations for Keycloak service ## annotations: {} - ## @param service.extraPorts Extra port to expose on Keycloak service - ## - extraPorts: [] - # DEPRECATED service.extraHeadlessPorts will be removed in a future release, please use service.headless.extraPorts instead - ## @param service.extraHeadlessPorts Extra ports to expose on Keycloak headless service - ## - extraHeadlessPorts: [] ## Headless service properties ## headless: @@ -620,31 +611,25 @@ ingress: ## @param ingress.enabled Enable ingress record generation for Keycloak ## enabled: false - ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) - ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . - ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ - ## - ingressClassName: "" ## @param ingress.pathType Ingress path type ## pathType: ImplementationSpecific ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) ## apiVersion: "" + ## @param ingress.hostname Default host for the ingress record (evaluated as template) + ## + hostname: keycloak.local + ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (evaluated as template) + ## Required if you have more than one IngressClass marked as the default for your cluster + ## + ingressClassName: "" ## @param ingress.controller The ingress controller type. Currently supports `default` and `gce` ## leave as `default` for most ingress controllers. ## set to `gce` if using the GCE ingress controller ## controller: default - ## @param ingress.hostname Default host for the ingress record (evaluated as template) - ## - hostname: keycloak.local - ## @param ingress.hostnameStrict Disables dynamically resolving the hostname from request headers. - ## Should always be set to true in production, unless your reverse proxy overwrites the Host header. - ## If enabled, the hostname option needs to be specified. - ## - hostnameStrict: false - ## @param ingress.path [string] Default path for the ingress record (evaluated as template) + ## @param ingress.path Default path for the ingress record ## path: "{{ .Values.httpRelativePath }}" ## @param ingress.servicePort Backend service port to use @@ -730,118 +715,6 @@ ingress: ## name: http ## extraRules: [] -## Keycloak admin ingress parameters -## ref: https://kubernetes.io/docs/user-guide/ingress/ -## -adminIngress: - ## @param adminIngress.enabled Enable admin ingress record generation for Keycloak - ## - enabled: false - ## @param adminIngress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) - ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . - ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ - ## - ingressClassName: "" - ## @param adminIngress.pathType Ingress path type - ## - pathType: ImplementationSpecific - ## @param adminIngress.apiVersion Force Ingress API version (automatically detected if not set) - ## - apiVersion: "" - ## @param adminIngress.controller The ingress controller type. Currently supports `default` and `gce` - ## leave as `default` for most ingress controllers. - ## set to `gce` if using the GCE ingress controller - ## - controller: default - ## @param adminIngress.hostname Default host for the admin ingress record (evaluated as template) - ## - hostname: keycloak.local - ## @param adminIngress.path [string] Default path for the admin ingress record (evaluated as template) - ## - path: "{{ .Values.httpRelativePath }}" - ## @param adminIngress.servicePort Backend service port to use - ## Default is http. Alternative is https. - ## - servicePort: http - ## @param adminIngress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. - ## Use this parameter to set the required annotations for cert-manager, see - ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations - ## e.g: - ## annotations: - ## kubernetes.io/ingress.class: nginx - ## cert-manager.io/cluster-issuer: cluster-issuer-name - ## - annotations: {} - ## @param adminIngress.labels Additional labels for the Ingress resource. - ## e.g: - ## labels: - ## app: keycloak - ## - labels: {} - ## @param adminIngress.tls Enable TLS configuration for the host defined at `adminIngress.hostname` parameter - ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.adminIngress.hostname .) }}` - ## You can: - ## - Use the `adminIngress.secrets` parameter to create this TLS secret - ## - Rely on cert-manager to create it by setting the corresponding annotations - ## - Rely on Helm to create self-signed certificates by setting `adminIngress.selfSigned=true` - ## - tls: false - ## @param adminIngress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm - ## - selfSigned: false - ## @param adminIngress.extraHosts An array with additional hostname(s) to be covered with the admin ingress record - ## e.g: - ## extraHosts: - ## - name: keycloak.local - ## path: / - ## - extraHosts: [] - ## @param adminIngress.extraPaths Any additional arbitrary paths that may need to be added to the admin ingress under the main host. - ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. - ## extraPaths: - ## - path: /* - ## backend: - ## serviceName: ssl-redirect - ## servicePort: use-annotation - ## - extraPaths: [] - ## @param adminIngress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. - ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls - ## extraTls: - ## - hosts: - ## - keycloak.local - ## secretName: keycloak.local-tls - ## - extraTls: [] - ## @param adminIngress.secrets If you're providing your own certificates, please use this to add the certificates as secrets - ## key and certificate should start with -----BEGIN CERTIFICATE----- or - ## -----BEGIN RSA PRIVATE KEY----- - ## - ## name should line up with a tlsSecret set further up - ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set - ## - ## It is also possible to create and manage the certificates outside of this helm chart - ## Please see README.md for more information - ## e.g: - ## - name: keycloak.local-tls - ## key: - ## certificate: - ## - secrets: [] - ## @param adminIngress.extraRules Additional rules to be covered with this ingress record - ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules - ## e.g: - ## extraRules: - ## - host: keycloak.local - ## http: - ## path: / - ## backend: - ## service: - ## name: keycloak - ## port: - ## name: http - ## - extraRules: [] ## Network Policy configuration ## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## @@ -859,6 +732,9 @@ networkPolicy: ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## allowExternalEgress: true + ## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true ## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) ## kubeAPIServerPorts: [443, 6443, 8443] @@ -895,199 +771,190 @@ networkPolicy: ## - frontend ## extraEgress: [] + ## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {} -## @section RBAC parameter -## Specifies whether a ServiceAccount should be created + +## @section Other parameters + +## ServiceAccount configuration +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## serviceAccount: - ## @param serviceAccount.create Enable the creation of a ServiceAccount for Keycloak pods + ## @param serviceAccount.create Specifies whether a ServiceAccount should be created ## create: true - ## @param serviceAccount.name Name of the created ServiceAccount - ## If not set and create is true, a name is generated using the fullname template + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template ## name: "" - ## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod - ## - automountServiceAccountToken: false - ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## @param serviceAccount.annotations Additional Service Account annotations (evaluated as a template) ## annotations: {} - ## @param serviceAccount.extraLabels Additional labels for the ServiceAccount + ## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account + ## + automountServiceAccountToken: true + ## @param serviceAccount.extraLabels Additional Service Account labels (evaluated as a template) ## extraLabels: {} -## Specifies whether RBAC resources should be created -## -rbac: - ## @param rbac.create Whether to create and use RBAC resources or not - ## - create: false - ## @param rbac.rules Custom RBAC rules - ## Example: - ## rules: - ## - apiGroups: - ## - "" - ## resources: - ## - pods - ## verbs: - ## - get - ## - list - ## - rules: [] -## @section Other parameters -## - ## Keycloak Pod Disruption Budget configuration ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +## @param pdb.create Enable/disable a Pod Disruption Budget creation +## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled +## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. ## pdb: - ## @param pdb.create Enable/disable a Pod Disruption Budget creation - ## create: true - ## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled - ## minAvailable: "" - ## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable - ## maxUnavailable: "" ## Keycloak Autoscaling configuration -## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ -## @param autoscaling.enabled Enable autoscaling for Keycloak -## @param autoscaling.minReplicas Minimum number of Keycloak replicas -## @param autoscaling.maxReplicas Maximum number of Keycloak replicas -## @param autoscaling.targetCPU Target CPU utilization percentage -## @param autoscaling.targetMemory Target Memory utilization percentage +## ref: https://kubernetes.io/docs/concepts/workloads/autoscaling/ ## autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 11 - targetCPU: "" - targetMemory: "" - ## HPA Scaling Behavior - ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior + ## @param autoscaling.vpa.enabled Enable VPA for Keycloak pods + ## @param autoscaling.vpa.annotations Annotations for VPA resource + ## @param autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory + ## @param autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod + ## @param autoscaling.vpa.minAllowed VPA Min allowed resources for the pod ## - behavior: - ## HPA behavior when scaling up - ## @param autoscaling.behavior.scaleUp.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling up - ## @param autoscaling.behavior.scaleUp.selectPolicy The priority of policies that the autoscaler will apply when scaling up - ## @param autoscaling.behavior.scaleUp.policies [array] HPA scaling policies when scaling up - ## e.g: - ## Policy to scale 20% of the pod in 60s - ## - type: Percent - ## value: 20 - ## periodSeconds: 60 + vpa: + enabled: false + annotations: {} + controlledResources: [] + maxAllowed: {} + minAllowed: {} + ## @param autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy + ## Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod + ## Possible values are "Off", "Initial", "Recreate", and "Auto". ## - scaleUp: - stabilizationWindowSeconds: 120 - selectPolicy: Max - policies: [] - ## HPA behavior when scaling down - ## @param autoscaling.behavior.scaleDown.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling down - ## @param autoscaling.behavior.scaleDown.selectPolicy The priority of policies that the autoscaler will apply when scaling down - ## @param autoscaling.behavior.scaleDown.policies [array] HPA scaling policies when scaling down - ## e.g: - ## Policy to scale one pod in 300s - ## - type: Pods - ## value: 1 - ## periodSeconds: 300 + updatePolicy: + updateMode: Auto + ## @param autoscaling.hpa.enabled Enable HPA for Keycloak pods + ## @param autoscaling.hpa.minReplicas Minimum number of Keycloak replicas + ## @param autoscaling.hpa.maxReplicas Maximum number of Keycloak replicas + ## @param autoscaling.hpa.targetCPU Target CPU utilization percentage + ## @param autoscaling.hpa.targetMemory Target Memory utilization percentage + ## + hpa: + enabled: false + minReplicas: 1 + maxReplicas: 11 + targetCPU: "" + targetMemory: "" + ## HPA Scaling Behavior + ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior ## - scaleDown: - stabilizationWindowSeconds: 300 - selectPolicy: Max - policies: - - type: Pods - value: 1 - periodSeconds: 300 -## @section Metrics parameters -## + behavior: + ## HPA behavior when scaling up + ## @param autoscaling.hpa.behavior.scaleUp.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling up + ## @param autoscaling.hpa.behavior.scaleUp.selectPolicy The priority of policies that the autoscaler will apply when scaling up + ## @param autoscaling.hpa.behavior.scaleUp.policies [array] HPA scaling policies when scaling up + ## e.g: + ## Policy to scale 20% of the pod in 60s + ## - type: Percent + ## value: 20 + ## periodSeconds: 60 + ## + scaleUp: + stabilizationWindowSeconds: 120 + selectPolicy: Max + policies: [] + ## HPA behavior when scaling down + ## @param autoscaling.hpa.behavior.scaleDown.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling down + ## @param autoscaling.hpa.behavior.scaleDown.selectPolicy The priority of policies that the autoscaler will apply when scaling down + ## @param autoscaling.hpa.behavior.scaleDown.policies [array] HPA scaling policies when scaling down + ## e.g: + ## Policy to scale one pod in 300s + ## - type: Pods + ## value: 1 + ## periodSeconds: 300 + ## + scaleDown: + stabilizationWindowSeconds: 300 + selectPolicy: Max + policies: + - type: Pods + value: 1 + periodSeconds: 300 + +## @section Metrics parameters -## Metrics configuration -## metrics: - ## @param metrics.enabled Enable exposing Keycloak statistics - ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#enabling-statistics + ## @param metrics.enabled Enable exposing Keycloak metrics + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#enabling-metrics ## enabled: false ## Keycloak metrics service parameters ## service: + ## @param metrics.service.ports.metrics Metrics service Metrics port + ## ports: - ## @param metrics.service.ports.http Metrics service HTTP port - ## - http: 8080 - ## @param metrics.service.ports.https Metrics service HTTPS port - ## - https: 8443 - ## @param metrics.service.ports.metrics Metrics service Metrics port - ## metrics: 9000 ## @param metrics.service.annotations [object] Annotations for enabling prometheus to access the metrics endpoints ## annotations: prometheus.io/scrape: "true" prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" - ## @param metrics.service.extraPorts [array] Add additional ports to the keycloak metrics service (i.e. admin port 9000) + ## @param metrics.service.extraPorts [array] Add additional ports to the keycloak metrics service ## extraPorts: [] ## Prometheus Operator ServiceMonitor configuration ## serviceMonitor: - ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator + ## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) ## enabled: false - ## @param metrics.serviceMonitor.port Metrics service HTTP port - ## - port: metrics - ## @param metrics.serviceMonitor.scheme Metrics service scheme - ## - scheme: http - ## @param metrics.serviceMonitor.tlsConfig Metrics service TLS configuration - ## - tlsConfig: {} - ## @param metrics.serviceMonitor.endpoints [array] The endpoint configuration of the ServiceMonitor. Path is mandatory. Port, scheme, tlsConfig, interval, timeout and labellings can be overwritten. - ## - endpoints: - - path: '{{ include "keycloak.httpPath" . }}metrics' - - path: '{{ include "keycloak.httpPath" . }}realms/{{ .Values.adminRealm }}/metrics' - port: http - ## @param metrics.serviceMonitor.path Metrics service HTTP path. Deprecated: Use @param metrics.serviceMonitor.endpoints instead - ## - path: "" - ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running ## namespace: "" - ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## @param metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor ## - interval: 30s - ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended - ## e.g: - ## scrapeTimeout: 30s - ## - scrapeTimeout: "" - ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus + annotations: {} + ## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor ## labels: {} - ## @param metrics.serviceMonitor.selector Prometheus instance selector labels - ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus ## - selector: {} - ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping - ## - relabelings: [] - ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion - ## - metricRelabelings: [] + jobLabel: "" ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels ## honorLabels: false - ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## @param metrics.serviceMonitor.tlsConfig [object] TLS configuration used for scrape endpoints used by Prometheus ## - jobLabel: "" + tlsConfig: {} + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## e.g: + ## interval: 10s + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## e.g: + ## scrapeTimeout: 10s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.relabelings Specify general relabeling + ## + relabelings: [] + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## selector: + ## prometheus: my-prometheus + ## + selector: {} ## Prometheus Operator alert rules configuration ## prometheusRule: @@ -1114,6 +981,7 @@ metrics: ## labels: ## severity: critical groups: [] + ## @section keycloak-config-cli parameters ## Configuration for keycloak-config-cli @@ -1135,7 +1003,7 @@ keycloakConfigCli: image: registry: docker.io repository: bitnami/keycloak-config-cli - tag: 6.4.0-debian-12-r7 + tag: 6.4.0-debian-12-r11 digest: "" ## Specify a imagePullPolicy ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images @@ -1150,12 +1018,8 @@ keycloakConfigCli: ## pullSecrets: [] ## @param keycloakConfigCli.annotations [object] Annotations for keycloak-config-cli job - ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## - annotations: - helm.sh/hook: "post-install,post-upgrade,post-rollback" - helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" - helm.sh/hook-weight: "5" + annotations: {} ## @param keycloakConfigCli.command Command for running the container (set to default if not set). Use array form ## command: [] @@ -1243,10 +1107,10 @@ keycloakConfigCli: ## nodeSelector: {} ## - ## @param keycloakConfigCli.podTolerations Tolerations for job pod assignment + ## @param keycloakConfigCli.tolerations Tolerations for job pod assignment ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ## - podTolerations: [] + tolerations: [] ## keycloak-config-cli availability-check configuration ## ref: https://github.com/adorsys/keycloak-config-cli#Configuration ## @param keycloakConfigCli.availabilityCheck.enabled Whether to wait until Keycloak is available @@ -1322,6 +1186,63 @@ keycloakConfigCli: cleanupAfterFinished: enabled: false seconds: 600 + +## @section Default init container parameters + +## Default init Containers +## +defaultInitContainers: + ## 'prepare-write-dirs' init container + ## Copies writable directories to an empty dir volume in order to not break the application functionality + ## + prepareWriteDirs: + ## @param defaultInitContainers.prepareWriteDirs.enabled Enable init container that copies writable directories to an empty dir + ## + enabled: true + ## Configure "prepare-write-dirs" init-container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.enabled Enabled "prepare-write-dirs" init-containers' Security Context + ## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in "prepare-write-dirs" init-containers + ## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.runAsUser Set runAsUser in "prepare-write-dirs" init-containers' Security Context + ## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.runAsGroup Set runAsGroup in "prepare-write-dirs" init-containers' Security Context + ## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.runAsNonRoot Set runAsNonRoot in "prepare-write-dirs" init-containers' Security Context + ## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.privileged Set privileged in "prepare-write-dirs" init-containers' Security Context + ## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.readOnlyRootFilesystem Set readOnlyRootFilesystem in "prepare-write-dirs" init-containers' Security Context + ## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in "prepare-write-dirs" init-containers' Security Context + ## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.capabilities.drop List of capabilities to be dropped in "prepare-write-dirs" init-containers + ## @param defaultInitContainers.prepareWriteDirs.containerSecurityContext.seccompProfile.type Set seccomp profile in "prepare-write-dirs" init-containers + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## Keycloak "prepare-write-dirs" init container resource requests and limits + ## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param defaultInitContainers.prepareWriteDirs.resourcesPreset Set Keycloak "prepare-write-dirs" init container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if defaultInitContainers.prepareWriteDirs.resources is set (defaultInitContainers.prepareWriteDirs.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param defaultInitContainers.prepareWriteDirs.resources Set Keycloak "prepare-write-dirs" init container requests and limits for different resources like CPU or memory (essential for production workloads) + ## E.g: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @section Database parameters ## PostgreSQL chart configuration @@ -1337,8 +1258,6 @@ keycloakConfigCli: ## postgresql: enabled: true - image: - tag: 16.6.0-debian-12-r2 auth: postgresPassword: "" username: keycloak @@ -1348,7 +1267,6 @@ postgresql: secretKeys: postgres-password: postgres-password userPasswordKey: db-pass - #replicationPasswordKey: postgres-repl-pass architecture: standalone primary: persistence: @@ -1363,49 +1281,22 @@ postgresql: ## @param externalDatabase.user Non-root username for Keycloak ## @param externalDatabase.password Password for the non-root username for Keycloak ## @param externalDatabase.database Keycloak database name +## @param externalDatabase.schema Keycloak database schema ## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials -## @param externalDatabase.existingSecretHostKey Name of an existing secret key containing the database host name -## @param externalDatabase.existingSecretPortKey Name of an existing secret key containing the database port ## @param externalDatabase.existingSecretUserKey Name of an existing secret key containing the database user -## @param externalDatabase.existingSecretDatabaseKey Name of an existing secret key containing the database name ## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials ## @param externalDatabase.annotations Additional custom annotations for external database secret object +## @param externalDatabase.extraParams Additional JDBC connection parameters appended to the JDBC URL (KC_DB_URL). ## externalDatabase: host: "" port: 5432 - user: keycloak - database: keycloak + user: bn_keycloak + database: bitnami_keycloak + schema: public password: "" existingSecret: "" - existingSecretHostKey: "" - existingSecretPortKey: "" existingSecretUserKey: "" - existingSecretDatabaseKey: "" existingSecretPasswordKey: "" annotations: {} -## @section Keycloak Cache parameters - -## Keycloak cache configuration -## ref: https://www.keycloak.org/server/caching -## @param cache.enabled Switch to enable or disable the keycloak distributed cache for kubernetes. -## NOTE: Set to false to use 'local' cache (only supported when replicaCount=1). -## @param cache.stack Set infinispan cache stack to use, sets KC_CACHE_STACK () -## @param cache.configFile Set infinispan cache stack config filename sets KC_CACHE_CONFIG_FILE () -## @param cache.useHeadlessServiceWithAppVersion Set to true to create the headless service used for ispn containing the app version -## -cache: - enabled: true - stack: kubernetes - configFile: "cache-ispn.xml" - useHeadlessServiceWithAppVersion: false -## @section Keycloak Logging parameters - -## Keycloak logging configuration -## ref: https://www.keycloak.org/server/logging -## @param logging.output Alternates between the default log output format or json format -## @param logging.level Allowed values as documented: FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL, OFF -## -logging: - output: default - level: INFO + extraParams: ""