apiVersion: v1 automountServiceAccountToken: true kind: ServiceAccount metadata: labels: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak app.kubernetes.io/part-of: keycloak app.kubernetes.io/version: 26.3.3 helm.sh/chart: keycloak-25.2.0 name: keycloak namespace: keycloak --- apiVersion: v1 data: BITNAMI_DEBUG: "false" JAVA_OPTS_APPEND: -Djgroups.dns.query=keycloak-headless.keycloak.svc.cluster.local KC_BOOTSTRAP_ADMIN_PASSWORD_FILE: /opt/bitnami/keycloak/secrets/admin-password KC_BOOTSTRAP_ADMIN_USERNAME: user KC_CACHE: ispn KC_CACHE_CONFIG_FILE: cache-ispn.xml KC_CACHE_STACK: jdbc-ping KC_DB_PASSWORD_FILE: /opt/bitnami/keycloak/secrets/db-password KC_DB_SCHEMA: public KC_DB_URL: jdbc:postgresql://cnpg-keycloak-cluster-rw:5432/keycloak?currentSchema=public KC_DB_USERNAME_FILE: /opt/bitnami/keycloak/secrets/db-user KC_HTTP_ENABLED: "true" KC_HTTP_MANAGEMENT_PORT: "9000" KC_HTTP_PORT: "8080" KC_HTTP_RELATIVE_PATH: / KC_LOG_CONSOLE_OUTPUT: default KC_LOG_LEVEL: INFO KC_METRICS_ENABLED: "false" KC_PROXY_HEADERS: xforwarded KC_SPI_ADMIN_REALM: master KEYCLOAK_PRODUCTION: "true" kind: ConfigMap metadata: labels: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak app.kubernetes.io/part-of: keycloak app.kubernetes.io/version: 26.3.3 helm.sh/chart: keycloak-25.2.0 name: keycloak-env-vars namespace: keycloak --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak app.kubernetes.io/part-of: keycloak app.kubernetes.io/version: 26.3.3 helm.sh/chart: keycloak-25.2.0 name: keycloak namespace: keycloak spec: ports: - name: http nodePort: null port: 80 protocol: TCP targetPort: http selector: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/name: keycloak app.kubernetes.io/part-of: keycloak sessionAffinity: None type: ClusterIP --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak app.kubernetes.io/part-of: keycloak app.kubernetes.io/version: 26.3.3 helm.sh/chart: keycloak-25.2.0 name: keycloak-headless namespace: keycloak spec: clusterIP: None ports: - name: http port: 8080 protocol: TCP targetPort: http publishNotReadyAddresses: true selector: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/name: keycloak app.kubernetes.io/part-of: keycloak type: ClusterIP --- apiVersion: apps/v1 kind: StatefulSet metadata: labels: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak app.kubernetes.io/part-of: keycloak app.kubernetes.io/version: 26.3.3 helm.sh/chart: keycloak-25.2.0 name: keycloak namespace: keycloak spec: podManagementPolicy: Parallel replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/name: keycloak app.kubernetes.io/part-of: keycloak serviceName: keycloak-headless template: metadata: annotations: checksum/configmap-env-vars: 498a12f8777f12d59d6882fb3d91d07e42a62033c17e3ded6aa2ee0ddeb71b9b labels: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak app.kubernetes.io/part-of: keycloak app.kubernetes.io/version: 26.3.3 helm.sh/chart: keycloak-25.2.0 spec: affinity: nodeAffinity: null podAffinity: null podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchLabels: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/name: keycloak topologyKey: kubernetes.io/hostname weight: 1 automountServiceAccountToken: true containers: - env: - name: KUBERNETES_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace envFrom: - configMapRef: name: keycloak-env-vars image: docker.io/bitnamilegacy/keycloak:26.3.3-debian-12-r0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 initialDelaySeconds: 120 periodSeconds: 1 successThreshold: 1 tcpSocket: port: http timeoutSeconds: 5 name: keycloak ports: - containerPort: 8080 name: http protocol: TCP - containerPort: 7800 name: discovery readinessProbe: failureThreshold: 3 httpGet: path: /realms/master port: http scheme: HTTP initialDelaySeconds: 30 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 resources: limits: cpu: 750m ephemeral-storage: 2Gi memory: 768Mi requests: cpu: 500m ephemeral-storage: 50Mi memory: 512Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsGroup: 1001 runAsNonRoot: true runAsUser: 1001 seLinuxOptions: {} seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /tmp name: empty-dir subPath: tmp-dir - mountPath: /bitnami/keycloak name: empty-dir subPath: app-volume-dir - mountPath: /opt/bitnami/keycloak/conf name: empty-dir subPath: app-conf-dir - mountPath: /opt/bitnami/keycloak/lib/quarkus name: empty-dir subPath: app-quarkus-dir - mountPath: /opt/bitnami/keycloak/data name: empty-dir subPath: app-data-dir - mountPath: /opt/bitnami/keycloak/providers name: empty-dir subPath: app-providers-dir - mountPath: /opt/bitnami/keycloak/themes name: empty-dir subPath: app-themes-dir - mountPath: /opt/bitnami/keycloak/secrets name: keycloak-secrets enableServiceLinks: true initContainers: - args: - -ec - | . /opt/bitnami/scripts/liblog.sh info "Copying writable dirs to empty dir" # In order to not break the application functionality we need to make some # directories writable, so we need to copy it to an empty dir volume cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/lib/quarkus /emptydir/app-quarkus-dir cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/data /emptydir/app-data-dir cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/providers /emptydir/app-providers-dir cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/themes /emptydir/app-themes-dir info "Copy operation completed" command: - /bin/bash image: docker.io/bitnamilegacy/keycloak:26.3.3-debian-12-r0 imagePullPolicy: IfNotPresent name: prepare-write-dirs resources: limits: cpu: 150m ephemeral-storage: 2Gi memory: 192Mi requests: cpu: 100m ephemeral-storage: 50Mi memory: 128Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL privileged: false readOnlyRootFilesystem: true runAsGroup: 1001 runAsNonRoot: true runAsUser: 1001 seLinuxOptions: {} seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /emptydir name: empty-dir securityContext: fsGroup: 1001 fsGroupChangePolicy: Always supplementalGroups: [] sysctls: [] serviceAccountName: keycloak volumes: - emptyDir: {} name: empty-dir - name: keycloak-secrets projected: sources: - secret: name: keycloak - secret: items: - key: password path: db-password - key: user path: db-user name: cnpg-keycloak-cluster-app updateStrategy: type: RollingUpdate --- apiVersion: policy/v1 kind: PodDisruptionBudget metadata: labels: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak app.kubernetes.io/part-of: keycloak app.kubernetes.io/version: 26.3.3 helm.sh/chart: keycloak-25.2.0 name: keycloak namespace: keycloak spec: maxUnavailable: 1 selector: matchLabels: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/name: keycloak app.kubernetes.io/part-of: keycloak --- apiVersion: batch/v1 kind: Job metadata: annotations: helm.sh/hook: test helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded labels: app.kubernetes.io/component: database-ping-test name: cnpg-keycloak-cluster-ping-test namespace: keycloak spec: template: metadata: labels: app.kubernetes.io/component: database-ping-test name: cnpg-keycloak-cluster-ping-test spec: containers: - args: - -c - apk add postgresql-client && psql "postgresql://$PGUSER:$PGPASS@cnpg-keycloak-cluster-rw.keycloak.svc.cluster.local:5432/${PGDBNAME:-$PGUSER}" -c 'SELECT 1' command: - sh env: - name: PGUSER valueFrom: secretKeyRef: key: username name: cnpg-keycloak-cluster-app - name: PGPASS valueFrom: secretKeyRef: key: password name: cnpg-keycloak-cluster-app - name: PGDBNAME valueFrom: secretKeyRef: key: dbname name: cnpg-keycloak-cluster-app optional: true image: alpine:3.17 name: alpine restartPolicy: Never --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: labels: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: keycloak app.kubernetes.io/part-of: keycloak app.kubernetes.io/version: 26.3.3 helm.sh/chart: keycloak-25.2.0 name: keycloak namespace: keycloak spec: egress: - {} ingress: - ports: - port: 8080 - port: 7800 podSelector: matchLabels: app.kubernetes.io/component: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/name: keycloak app.kubernetes.io/part-of: keycloak policyTypes: - Ingress - Egress --- apiVersion: postgresql.cnpg.io/v1 kind: Cluster metadata: labels: app.kubernetes.io/instance: cnpg-keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cluster app.kubernetes.io/part-of: cloudnative-pg helm.sh/chart: cluster-0.3.1 name: cnpg-keycloak-cluster namespace: keycloak spec: affinity: topologyKey: kubernetes.io/hostname bootstrap: initdb: database: keycloak owner: keycloak enablePDB: true enableSuperuserAccess: true imageName: ghcr.io/cloudnative-pg/postgresql:17 imagePullPolicy: IfNotPresent instances: 3 logLevel: info monitoring: disableDefaultQueries: false enablePodMonitor: false postgresGID: 26 postgresUID: 26 postgresql: null primaryUpdateMethod: switchover primaryUpdateStrategy: unsupervised storage: size: 10Gi storageClass: openebs-hostpath walStorage: size: 1Gi storageClass: openebs-hostpath