k8s/apps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

keycloak update

Browse Source
This commit is contained in:
Philip Haupt
2025-11-08 15:22:26 +01:00
parent 0cda59699f
commit f5024da2b5
3 changed files with 663 additions and 1556 deletions
Download Patch File Download Diff File Expand all files Collapse all files

390
keycloak/main.yaml
View File

@@ -1,335 +1,209 @@
apiVersion: v1
automountServiceAccountToken: true
imagePullSecrets: []
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
app.kubernetes.io/version: 26.3.3
helm.sh/chart: keycloak-25.2.0
name: keycloak
namespace: keycloak
---
apiVersion: v1
data:
BITNAMI_DEBUG: "false"
JAVA_OPTS_APPEND: -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local
KC_BOOTSTRAP_ADMIN_PASSWORD_FILE: /opt/bitnami/keycloak/secrets/admin-password
KC_BOOTSTRAP_ADMIN_USERNAME: user
KC_CACHE: ispn
KC_CACHE_CONFIG_FILE: cache-ispn.xml
KC_CACHE_STACK: jdbc-ping
KC_DB_PASSWORD_FILE: /opt/bitnami/keycloak/secrets/db-password
KC_DB_SCHEMA: public
KC_DB_URL: jdbc:postgresql://cnpg-keycloak-cluster-rw:5432/keycloak?currentSchema=public
KC_DB_USERNAME_FILE: /opt/bitnami/keycloak/secrets/db-user
KC_HTTP_ENABLED: "true"
KC_HTTP_MANAGEMENT_PORT: "9000"
KC_HTTP_PORT: "8080"
KC_HTTP_RELATIVE_PATH: /
KC_LOG_CONSOLE_OUTPUT: default
KC_LOG_LEVEL: INFO
KC_METRICS_ENABLED: "false"
KC_PROXY_HEADERS: xforwarded
KC_SPI_ADMIN_REALM: master
KEYCLOAK_PRODUCTION: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
app.kubernetes.io/version: 26.3.3
helm.sh/chart: keycloak-25.2.0
name: keycloak-env-vars
app.kubernetes.io/name: keycloakx
app.kubernetes.io/version: 26.4.0
helm.sh/chart: keycloakx-7.1.4
name: keycloak-keycloakx
namespace: keycloak
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/component: headless
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
app.kubernetes.io/version: 26.3.3
helm.sh/chart: keycloak-25.2.0
name: keycloak
app.kubernetes.io/name: keycloakx
app.kubernetes.io/version: 26.4.0
helm.sh/chart: keycloakx-7.1.4
name: keycloak-keycloakx-headless
namespace: keycloak
spec:
clusterIP: None
ports:
- name: http
nodePort: null
port: 80
protocol: TCP
targetPort: http
selector:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
sessionAffinity: None
app.kubernetes.io/name: keycloakx
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/component: http
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
app.kubernetes.io/version: 26.3.3
helm.sh/chart: keycloak-25.2.0
name: keycloak-headless
app.kubernetes.io/name: keycloakx
app.kubernetes.io/version: 26.4.0
helm.sh/chart: keycloakx-7.1.4
name: keycloak-keycloakx-http
namespace: keycloak
spec:
clusterIP: None
ports:
- name: http-internal
port: 9000
protocol: TCP
targetPort: http-internal
- name: http
port: 8080
port: 80
protocol: TCP
targetPort: http
publishNotReadyAddresses: true
- name: https
port: 8443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
app.kubernetes.io/name: keycloakx
type: ClusterIP
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
app.kubernetes.io/version: 26.3.3
helm.sh/chart: keycloak-25.2.0
name: keycloak
app.kubernetes.io/name: keycloakx
app.kubernetes.io/version: 26.4.0
helm.sh/chart: keycloakx-7.1.4
name: keycloak-keycloakx
namespace: keycloak
spec:
podManagementPolicy: Parallel
podManagementPolicy: OrderedReady
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
serviceName: keycloak-headless
app.kubernetes.io/name: keycloakx
serviceName: keycloak-keycloakx-headless
template:
metadata:
annotations:
checksum/configmap-env-vars: 498a12f8777f12d59d6882fb3d91d07e42a62033c17e3ded6aa2ee0ddeb71b9b
checksum/config-startup: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
checksum/secrets: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
app.kubernetes.io/version: 26.3.3
helm.sh/chart: keycloak-25.2.0
app.kubernetes.io/name: keycloakx
spec:
affinity:
nodeAffinity: null
podAffinity: null
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: NotIn
values:
- test
matchLabels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak
topologyKey: kubernetes.io/hostname
weight: 1
automountServiceAccountToken: true
app.kubernetes.io/name: keycloakx
topologyKey: topology.kubernetes.io/zone
weight: 100
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: NotIn
values:
- test
matchLabels:
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloakx
topologyKey: kubernetes.io/hostname
containers:
- env:
- name: KUBERNETES_NAMESPACE
- name: KC_HTTP_RELATIVE_PATH
value: /auth
- name: KC_CACHE
value: ispn
- name: KC_CACHE_STACK
value: jdbc-ping
- name: KC_PROXY_HEADERS
value: forwarded
- name: KC_HTTP_ENABLED
value: "true"
- name: KC_DB
value: postgres
- name: KC_DB_URL_HOST
value: cnpg-keycloak-cluster-rw.keycloak.svc.cluster.local
- name: KC_DB_URL_PORT
value: "1234"
- name: KC_DB_URL_DATABASE
value: keycloak
- name: KC_DB_USERNAME
value: keycloak
- name: KC_DB_PASSWORD
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
envFrom:
- configMapRef:
name: keycloak-env-vars
image: docker.io/bitnamilegacy/keycloak:26.3.3-debian-12-r0
secretKeyRef:
key: password
name: cnpg-keycloak-cluster-app
- name: KC_METRICS_ENABLED
value: "true"
- name: KC_HEALTH_ENABLED
value: "true"
envFrom: null
image: quay.io/keycloak/keycloak:26.4.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 120
periodSeconds: 1
successThreshold: 1
tcpSocket:
port: http
httpGet:
path: /auth/health/live
port: http-internal
scheme: HTTP
initialDelaySeconds: 0
timeoutSeconds: 5
name: keycloak
ports:
- containerPort: 8080
name: http
protocol: TCP
- containerPort: 7800
name: discovery
- containerPort: 9000
name: http-internal
protocol: TCP
- containerPort: 8443
name: https
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /realms/master
port: http
path: /auth/health/ready
port: http-internal
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
initialDelaySeconds: 10
timeoutSeconds: 1
resources:
limits:
cpu: 750m
ephemeral-storage: 2Gi
memory: 768Mi
requests:
cpu: 500m
ephemeral-storage: 50Mi
memory: 512Mi
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seLinuxOptions: {}
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /tmp
name: empty-dir
subPath: tmp-dir
- mountPath: /bitnami/keycloak
name: empty-dir
subPath: app-volume-dir
- mountPath: /opt/bitnami/keycloak/conf
name: empty-dir
subPath: app-conf-dir
- mountPath: /opt/bitnami/keycloak/lib/quarkus
name: empty-dir
subPath: app-quarkus-dir
- mountPath: /opt/bitnami/keycloak/data
name: empty-dir
subPath: app-data-dir
- mountPath: /opt/bitnami/keycloak/providers
name: empty-dir
subPath: app-providers-dir
- mountPath: /opt/bitnami/keycloak/themes
name: empty-dir
subPath: app-themes-dir
- mountPath: /opt/bitnami/keycloak/secrets
name: keycloak-secrets
runAsUser: 1000
startupProbe:
failureThreshold: 60
httpGet:
path: /auth/health
port: http-internal
scheme: HTTP
initialDelaySeconds: 15
periodSeconds: 5
timeoutSeconds: 1
volumeMounts: null
enableServiceLinks: true
initContainers:
- args:
- -ec
- |
. /opt/bitnami/scripts/liblog.sh
info "Copying writable dirs to empty dir"
# In order to not break the application functionality we need to make some
# directories writable, so we need to copy it to an empty dir volume
cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/lib/quarkus /emptydir/app-quarkus-dir
cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/data /emptydir/app-data-dir
cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/providers /emptydir/app-providers-dir
cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/themes /emptydir/app-themes-dir
info "Copy operation completed"
command:
- /bin/bash
image: docker.io/bitnamilegacy/keycloak:26.3.3-debian-12-r0
imagePullPolicy: IfNotPresent
name: prepare-write-dirs
resources:
limits:
cpu: 150m
ephemeral-storage: 2Gi
memory: 192Mi
requests:
cpu: 100m
ephemeral-storage: 50Mi
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seLinuxOptions: {}
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /emptydir
name: empty-dir
restartPolicy: Always
securityContext:
fsGroup: 1001
fsGroupChangePolicy: Always
supplementalGroups: []
sysctls: []
serviceAccountName: keycloak
volumes:
- emptyDir: {}
name: empty-dir
- name: keycloak-secrets
projected:
sources:
- secret:
name: keycloak
- secret:
items:
- key: password
path: db-password
- key: user
path: db-user
name: cnpg-keycloak-cluster-app
fsGroup: 1000
serviceAccountName: keycloak-keycloakx
terminationGracePeriodSeconds: 60
volumes: null
updateStrategy:
type: RollingUpdate
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
app.kubernetes.io/version: 26.3.3
helm.sh/chart: keycloak-25.2.0
name: keycloak
namespace: keycloak
spec:
maxUnavailable: 1
selector:
matchLabels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
---
apiVersion: batch/v1
kind: Job
metadata:
@@ -375,36 +249,6 @@ spec:
name: alpine
restartPolicy: Never
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
app.kubernetes.io/version: 26.3.3
helm.sh/chart: keycloak-25.2.0
name: keycloak
namespace: keycloak
spec:
egress:
- {}
ingress:
- ports:
- port: 8080
- port: 7800
podSelector:
matchLabels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
policyTypes:
- Ingress
- Egress
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata: