322 lines
8.5 KiB
YAML
322 lines
8.5 KiB
YAML
apiVersion: v1
|
|
automountServiceAccountToken: true
|
|
imagePullSecrets: []
|
|
kind: ServiceAccount
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/instance: keycloak
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/name: keycloakx
|
|
app.kubernetes.io/version: 26.4.0
|
|
helm.sh/chart: keycloakx-7.1.4
|
|
name: keycloak-keycloakx
|
|
namespace: keycloak
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: headless
|
|
app.kubernetes.io/instance: keycloak
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/name: keycloakx
|
|
app.kubernetes.io/version: 26.4.0
|
|
helm.sh/chart: keycloakx-7.1.4
|
|
name: keycloak-keycloakx-headless
|
|
namespace: keycloak
|
|
spec:
|
|
clusterIP: None
|
|
ports:
|
|
- name: http
|
|
port: 80
|
|
protocol: TCP
|
|
targetPort: http
|
|
selector:
|
|
app.kubernetes.io/instance: keycloak
|
|
app.kubernetes.io/name: keycloakx
|
|
type: ClusterIP
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: http
|
|
app.kubernetes.io/instance: keycloak
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/name: keycloakx
|
|
app.kubernetes.io/version: 26.4.0
|
|
helm.sh/chart: keycloakx-7.1.4
|
|
name: keycloak-keycloakx-http
|
|
namespace: keycloak
|
|
spec:
|
|
ports:
|
|
- name: http-internal
|
|
port: 9000
|
|
protocol: TCP
|
|
targetPort: http-internal
|
|
- name: http
|
|
port: 80
|
|
protocol: TCP
|
|
targetPort: http
|
|
- name: https
|
|
port: 8443
|
|
protocol: TCP
|
|
targetPort: https
|
|
selector:
|
|
app.kubernetes.io/instance: keycloak
|
|
app.kubernetes.io/name: keycloakx
|
|
type: ClusterIP
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/instance: keycloak
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/name: keycloakx
|
|
app.kubernetes.io/version: 26.4.0
|
|
helm.sh/chart: keycloakx-7.1.4
|
|
name: keycloak-keycloakx
|
|
namespace: keycloak
|
|
spec:
|
|
podManagementPolicy: OrderedReady
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/instance: keycloak
|
|
app.kubernetes.io/name: keycloakx
|
|
serviceName: keycloak-keycloakx-headless
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
checksum/config-startup: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
|
|
checksum/secrets: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
|
|
labels:
|
|
app.kubernetes.io/instance: keycloak
|
|
app.kubernetes.io/name: keycloakx
|
|
spec:
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- podAffinityTerm:
|
|
labelSelector:
|
|
matchExpressions:
|
|
- key: app.kubernetes.io/component
|
|
operator: NotIn
|
|
values:
|
|
- test
|
|
matchLabels:
|
|
app.kubernetes.io/instance: keycloak
|
|
app.kubernetes.io/name: keycloakx
|
|
topologyKey: topology.kubernetes.io/zone
|
|
weight: 100
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
- labelSelector:
|
|
matchExpressions:
|
|
- key: app.kubernetes.io/component
|
|
operator: NotIn
|
|
values:
|
|
- test
|
|
matchLabels:
|
|
app.kubernetes.io/instance: keycloak
|
|
app.kubernetes.io/name: keycloakx
|
|
topologyKey: kubernetes.io/hostname
|
|
containers:
|
|
- command:
|
|
- /opt/keycloak/bin/kc.sh
|
|
- start
|
|
- --http-port=8080
|
|
- --hostname=https://iam.borninpain.de
|
|
env:
|
|
- name: KC_HTTP_RELATIVE_PATH
|
|
value: /
|
|
- name: KC_CACHE
|
|
value: ispn
|
|
- name: KC_CACHE_STACK
|
|
value: jdbc-ping
|
|
- name: KC_PROXY_HEADERS
|
|
value: xforwarded
|
|
- name: KC_HTTP_ENABLED
|
|
value: "true"
|
|
- name: KC_DB
|
|
value: postgres
|
|
- name: KC_DB_URL_HOST
|
|
value: cnpg-keycloak-cluster-rw.keycloak.svc.cluster.local
|
|
- name: KC_DB_URL_PORT
|
|
value: "5432"
|
|
- name: KC_DB_URL_DATABASE
|
|
value: keycloak
|
|
- name: KC_DB_USERNAME
|
|
value: keycloak
|
|
- name: KC_DB_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: password
|
|
name: cnpg-keycloak-cluster-app
|
|
- name: KC_METRICS_ENABLED
|
|
value: "true"
|
|
- name: KC_HEALTH_ENABLED
|
|
value: "true"
|
|
envFrom: null
|
|
image: quay.io/keycloak/keycloak:26.4.0
|
|
imagePullPolicy: IfNotPresent
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /health/live
|
|
port: http-internal
|
|
scheme: HTTP
|
|
initialDelaySeconds: 0
|
|
timeoutSeconds: 5
|
|
name: keycloak
|
|
ports:
|
|
- containerPort: 8080
|
|
name: http
|
|
protocol: TCP
|
|
- containerPort: 9000
|
|
name: http-internal
|
|
protocol: TCP
|
|
- containerPort: 8443
|
|
name: https
|
|
protocol: TCP
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /health/ready
|
|
port: http-internal
|
|
scheme: HTTP
|
|
initialDelaySeconds: 10
|
|
timeoutSeconds: 1
|
|
resources: {}
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
startupProbe:
|
|
failureThreshold: 60
|
|
httpGet:
|
|
path: /health
|
|
port: http-internal
|
|
scheme: HTTP
|
|
initialDelaySeconds: 15
|
|
periodSeconds: 5
|
|
timeoutSeconds: 1
|
|
volumeMounts: null
|
|
enableServiceLinks: true
|
|
initContainers:
|
|
- command:
|
|
- sh
|
|
- -c
|
|
- |
|
|
echo 'Waiting for Database to become ready...'
|
|
|
|
until printf "." && nc -z -w 2 cnpg-keycloak-cluster-rw.keycloak.svc.cluster.local 5432; do
|
|
sleep 2;
|
|
done;
|
|
|
|
echo 'Database OK ✓'
|
|
image: docker.io/busybox:1.32
|
|
imagePullPolicy: IfNotPresent
|
|
name: dbchecker
|
|
resources:
|
|
limits:
|
|
cpu: 20m
|
|
memory: 32Mi
|
|
requests:
|
|
cpu: 20m
|
|
memory: 32Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
runAsGroup: 1000
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
restartPolicy: Always
|
|
securityContext:
|
|
fsGroup: 1000
|
|
serviceAccountName: keycloak-keycloakx
|
|
terminationGracePeriodSeconds: 60
|
|
volumes: null
|
|
updateStrategy:
|
|
type: RollingUpdate
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
annotations:
|
|
helm.sh/hook: test
|
|
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
|
|
labels:
|
|
app.kubernetes.io/component: database-ping-test
|
|
name: cnpg-keycloak-cluster-ping-test
|
|
namespace: keycloak
|
|
spec:
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/component: database-ping-test
|
|
name: cnpg-keycloak-cluster-ping-test
|
|
spec:
|
|
containers:
|
|
- args:
|
|
- -c
|
|
- apk add postgresql-client && psql "postgresql://$PGUSER:$PGPASS@cnpg-keycloak-cluster-rw.keycloak.svc.cluster.local:5432/${PGDBNAME:-$PGUSER}"
|
|
-c 'SELECT 1'
|
|
command:
|
|
- sh
|
|
env:
|
|
- name: PGUSER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: username
|
|
name: cnpg-keycloak-cluster-app
|
|
- name: PGPASS
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: password
|
|
name: cnpg-keycloak-cluster-app
|
|
- name: PGDBNAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: dbname
|
|
name: cnpg-keycloak-cluster-app
|
|
optional: true
|
|
image: alpine:3.17
|
|
name: alpine
|
|
restartPolicy: Never
|
|
---
|
|
apiVersion: postgresql.cnpg.io/v1
|
|
kind: Cluster
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/instance: cnpg-keycloak
|
|
app.kubernetes.io/managed-by: Helm
|
|
app.kubernetes.io/name: cluster
|
|
app.kubernetes.io/part-of: cloudnative-pg
|
|
helm.sh/chart: cluster-0.3.1
|
|
name: cnpg-keycloak-cluster
|
|
namespace: keycloak
|
|
spec:
|
|
affinity:
|
|
topologyKey: kubernetes.io/hostname
|
|
bootstrap:
|
|
initdb:
|
|
database: keycloak
|
|
owner: keycloak
|
|
enablePDB: true
|
|
enableSuperuserAccess: true
|
|
imageName: ghcr.io/cloudnative-pg/postgresql:17
|
|
imagePullPolicy: IfNotPresent
|
|
instances: 3
|
|
logLevel: info
|
|
monitoring:
|
|
disableDefaultQueries: false
|
|
enablePodMonitor: false
|
|
postgresGID: 26
|
|
postgresUID: 26
|
|
postgresql: null
|
|
primaryUpdateMethod: switchover
|
|
primaryUpdateStrategy: unsupervised
|
|
storage:
|
|
size: 10Gi
|
|
storageClass: openebs-hostpath
|
|
walStorage:
|
|
size: 1Gi
|
|
storageClass: openebs-hostpath
|