k8s/apps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

keycloak update

Browse Source
This commit is contained in:
Philip Haupt
2025-11-08 15:22:26 +01:00
parent 0cda59699f
commit f5024da2b5
3 changed files with 663 additions and 1556 deletions
Download Patch File Download Diff File Expand all files Collapse all files

390
keycloak/main.yaml
View File

@@ -1,335 +1,209 @@
apiVersion: v1 apiVersion: v1
automountServiceAccountToken: true automountServiceAccountToken: true
imagePullSecrets: []
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
labels: labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak app.kubernetes.io/name: keycloakx
app.kubernetes.io/part-of: keycloak app.kubernetes.io/version: 26.4.0
app.kubernetes.io/version: 26.3.3 helm.sh/chart: keycloakx-7.1.4
helm.sh/chart: keycloak-25.2.0 name: keycloak-keycloakx
name: keycloak
namespace: keycloak
---
apiVersion: v1
data:
BITNAMI_DEBUG: "false"
JAVA_OPTS_APPEND: -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local
KC_BOOTSTRAP_ADMIN_PASSWORD_FILE: /opt/bitnami/keycloak/secrets/admin-password
KC_BOOTSTRAP_ADMIN_USERNAME: user
KC_CACHE: ispn
KC_CACHE_CONFIG_FILE: cache-ispn.xml
KC_CACHE_STACK: jdbc-ping
KC_DB_PASSWORD_FILE: /opt/bitnami/keycloak/secrets/db-password
KC_DB_SCHEMA: public
KC_DB_URL: jdbc:postgresql://cnpg-keycloak-cluster-rw:5432/keycloak?currentSchema=public
KC_DB_USERNAME_FILE: /opt/bitnami/keycloak/secrets/db-user
KC_HTTP_ENABLED: "true"
KC_HTTP_MANAGEMENT_PORT: "9000"
KC_HTTP_PORT: "8080"
KC_HTTP_RELATIVE_PATH: /
KC_LOG_CONSOLE_OUTPUT: default
KC_LOG_LEVEL: INFO
KC_METRICS_ENABLED: "false"
KC_PROXY_HEADERS: xforwarded
KC_SPI_ADMIN_REALM: master
KEYCLOAK_PRODUCTION: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
app.kubernetes.io/version: 26.3.3
helm.sh/chart: keycloak-25.2.0
name: keycloak-env-vars
namespace: keycloak namespace: keycloak
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
labels: labels:
app.kubernetes.io/component: keycloak app.kubernetes.io/component: headless
app.kubernetes.io/instance: keycloak app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak app.kubernetes.io/name: keycloakx
app.kubernetes.io/part-of: keycloak app.kubernetes.io/version: 26.4.0
app.kubernetes.io/version: 26.3.3 helm.sh/chart: keycloakx-7.1.4
helm.sh/chart: keycloak-25.2.0 name: keycloak-keycloakx-headless
name: keycloak
namespace: keycloak namespace: keycloak
spec: spec:
clusterIP: None
ports: ports:
- name: http - name: http
nodePort: null
port: 80 port: 80
protocol: TCP protocol: TCP
targetPort: http targetPort: http
selector: selector:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak app.kubernetes.io/name: keycloakx
app.kubernetes.io/part-of: keycloak
sessionAffinity: None
type: ClusterIP type: ClusterIP
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
labels: labels:
app.kubernetes.io/component: keycloak app.kubernetes.io/component: http
app.kubernetes.io/instance: keycloak app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak app.kubernetes.io/name: keycloakx
app.kubernetes.io/part-of: keycloak app.kubernetes.io/version: 26.4.0
app.kubernetes.io/version: 26.3.3 helm.sh/chart: keycloakx-7.1.4
helm.sh/chart: keycloak-25.2.0 name: keycloak-keycloakx-http
name: keycloak-headless
namespace: keycloak namespace: keycloak
spec: spec:
clusterIP: None
ports: ports:
- name: http-internal
port: 9000
protocol: TCP
targetPort: http-internal
- name: http - name: http
port: 8080 port: 80
protocol: TCP protocol: TCP
targetPort: http targetPort: http
publishNotReadyAddresses: true - name: https
port: 8443
protocol: TCP
targetPort: https
selector: selector:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak app.kubernetes.io/name: keycloakx
app.kubernetes.io/part-of: keycloak
type: ClusterIP type: ClusterIP
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
metadata: metadata:
labels: labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak app.kubernetes.io/name: keycloakx
app.kubernetes.io/part-of: keycloak app.kubernetes.io/version: 26.4.0
app.kubernetes.io/version: 26.3.3 helm.sh/chart: keycloakx-7.1.4
helm.sh/chart: keycloak-25.2.0 name: keycloak-keycloakx
name: keycloak
namespace: keycloak namespace: keycloak
spec: spec:
podManagementPolicy: Parallel podManagementPolicy: OrderedReady
replicas: 1 replicas: 1
revisionHistoryLimit: 10
selector: selector:
matchLabels: matchLabels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak app.kubernetes.io/name: keycloakx
app.kubernetes.io/part-of: keycloak serviceName: keycloak-keycloakx-headless
serviceName: keycloak-headless
template: template:
metadata: metadata:
annotations: annotations:
checksum/configmap-env-vars: 498a12f8777f12d59d6882fb3d91d07e42a62033c17e3ded6aa2ee0ddeb71b9b checksum/config-startup: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
checksum/secrets: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
labels: labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloakx
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
app.kubernetes.io/version: 26.3.3
helm.sh/chart: keycloak-25.2.0
spec: spec:
affinity: affinity:
nodeAffinity: null
podAffinity: null
podAntiAffinity: podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution: preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm: - podAffinityTerm:
labelSelector: labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: NotIn
values:
- test
matchLabels: matchLabels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak app.kubernetes.io/name: keycloakx
topologyKey: kubernetes.io/hostname topologyKey: topology.kubernetes.io/zone
weight: 1 weight: 100
automountServiceAccountToken: true requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: NotIn
values:
- test
matchLabels:
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloakx
topologyKey: kubernetes.io/hostname
containers: containers:
- env: - env:
- name: KUBERNETES_NAMESPACE - name: KC_HTTP_RELATIVE_PATH
value: /auth
- name: KC_CACHE
value: ispn
- name: KC_CACHE_STACK
value: jdbc-ping
- name: KC_PROXY_HEADERS
value: forwarded
- name: KC_HTTP_ENABLED
value: "true"
- name: KC_DB
value: postgres
- name: KC_DB_URL_HOST
value: cnpg-keycloak-cluster-rw.keycloak.svc.cluster.local
- name: KC_DB_URL_PORT
value: "1234"
- name: KC_DB_URL_DATABASE
value: keycloak
- name: KC_DB_USERNAME
value: keycloak
- name: KC_DB_PASSWORD
valueFrom: valueFrom:
fieldRef: secretKeyRef:
apiVersion: v1 key: password
fieldPath: metadata.namespace name: cnpg-keycloak-cluster-app
envFrom: - name: KC_METRICS_ENABLED
- configMapRef: value: "true"
name: keycloak-env-vars - name: KC_HEALTH_ENABLED
image: docker.io/bitnamilegacy/keycloak:26.3.3-debian-12-r0 value: "true"
envFrom: null
image: quay.io/keycloak/keycloak:26.4.0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
livenessProbe: livenessProbe:
failureThreshold: 3 httpGet:
initialDelaySeconds: 120 path: /auth/health/live
periodSeconds: 1 port: http-internal
successThreshold: 1 scheme: HTTP
tcpSocket: initialDelaySeconds: 0
port: http
timeoutSeconds: 5 timeoutSeconds: 5
name: keycloak name: keycloak
ports: ports:
- containerPort: 8080 - containerPort: 8080
name: http name: http
protocol: TCP protocol: TCP
- containerPort: 7800 - containerPort: 9000
name: discovery name: http-internal
protocol: TCP
- containerPort: 8443
name: https
protocol: TCP
readinessProbe: readinessProbe:
failureThreshold: 3
httpGet: httpGet:
path: /realms/master path: /auth/health/ready
port: http port: http-internal
scheme: HTTP scheme: HTTP
initialDelaySeconds: 30 initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1 timeoutSeconds: 1
resources: resources: {}
limits:
cpu: 750m
ephemeral-storage: 2Gi
memory: 768Mi
requests:
cpu: 500m
ephemeral-storage: 50Mi
memory: 512Mi
securityContext: securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true runAsNonRoot: true
runAsUser: 1001 runAsUser: 1000
seLinuxOptions: {} startupProbe:
seccompProfile: failureThreshold: 60
type: RuntimeDefault httpGet:
volumeMounts: path: /auth/health
- mountPath: /tmp port: http-internal
name: empty-dir scheme: HTTP
subPath: tmp-dir initialDelaySeconds: 15
- mountPath: /bitnami/keycloak periodSeconds: 5
name: empty-dir timeoutSeconds: 1
subPath: app-volume-dir volumeMounts: null
- mountPath: /opt/bitnami/keycloak/conf
name: empty-dir
subPath: app-conf-dir
- mountPath: /opt/bitnami/keycloak/lib/quarkus
name: empty-dir
subPath: app-quarkus-dir
- mountPath: /opt/bitnami/keycloak/data
name: empty-dir
subPath: app-data-dir
- mountPath: /opt/bitnami/keycloak/providers
name: empty-dir
subPath: app-providers-dir
- mountPath: /opt/bitnami/keycloak/themes
name: empty-dir
subPath: app-themes-dir
- mountPath: /opt/bitnami/keycloak/secrets
name: keycloak-secrets
enableServiceLinks: true enableServiceLinks: true
initContainers: restartPolicy: Always
- args:
- -ec
- |
. /opt/bitnami/scripts/liblog.sh
info "Copying writable dirs to empty dir"
# In order to not break the application functionality we need to make some
# directories writable, so we need to copy it to an empty dir volume
cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/lib/quarkus /emptydir/app-quarkus-dir
cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/data /emptydir/app-data-dir
cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/providers /emptydir/app-providers-dir
cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/themes /emptydir/app-themes-dir
info "Copy operation completed"
command:
- /bin/bash
image: docker.io/bitnamilegacy/keycloak:26.3.3-debian-12-r0
imagePullPolicy: IfNotPresent
name: prepare-write-dirs
resources:
limits:
cpu: 150m
ephemeral-storage: 2Gi
memory: 192Mi
requests:
cpu: 100m
ephemeral-storage: 50Mi
memory: 128Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
seLinuxOptions: {}
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /emptydir
name: empty-dir
securityContext: securityContext:
fsGroup: 1001 fsGroup: 1000
fsGroupChangePolicy: Always serviceAccountName: keycloak-keycloakx
supplementalGroups: [] terminationGracePeriodSeconds: 60
sysctls: [] volumes: null
serviceAccountName: keycloak
volumes:
- emptyDir: {}
name: empty-dir
- name: keycloak-secrets
projected:
sources:
- secret:
name: keycloak
- secret:
items:
- key: password
path: db-password
- key: user
path: db-user
name: cnpg-keycloak-cluster-app
updateStrategy: updateStrategy:
type: RollingUpdate type: RollingUpdate
--- ---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
app.kubernetes.io/version: 26.3.3
helm.sh/chart: keycloak-25.2.0
name: keycloak
namespace: keycloak
spec:
maxUnavailable: 1
selector:
matchLabels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
---
apiVersion: batch/v1 apiVersion: batch/v1
kind: Job kind: Job
metadata: metadata:
@@ -375,36 +249,6 @@ spec:
name: alpine name: alpine
restartPolicy: Never restartPolicy: Never
--- ---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
app.kubernetes.io/version: 26.3.3
helm.sh/chart: keycloak-25.2.0
name: keycloak
namespace: keycloak
spec:
egress:
- {}
ingress:
- ports:
- port: 8080
- port: 7800
podSelector:
matchLabels:
app.kubernetes.io/component: keycloak
app.kubernetes.io/instance: keycloak
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: keycloak
policyTypes:
- Ingress
- Egress
---
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
kind: Cluster kind: Cluster
metadata: metadata:

6
keycloak/src/kustomization.yaml
View File

@@ -3,9 +3,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
helmCharts: helmCharts:
- name: keycloak - name: keycloakx
repo: https://charts.bitnami.com/bitnami repo: https://codecentric.github.io/helm-charts
version: 25.2.0 version: 7.1.4
releaseName: keycloak releaseName: keycloak
includeCRDs: true includeCRDs: true
namespace: keycloak namespace: keycloak

1823
keycloak/src/values.yaml
View File

File diff suppressed because it is too large Load Diff