Created
February 12, 2021 22:27
-
-
Save jgwerner/ed04a66daf2c9f84e42303e15bdb011a to your computer and use it in GitHub Desktop.
Keycloak custom helm config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| hostAliases: [] | |
| commonLabels: {} | |
| commonAnnotations: {} | |
| clusterDomain: cluster.local | |
| extraDeploy: [] | |
| image: | |
| registry: docker.io | |
| repository: illumidesk/keycloak | |
| tag: latest | |
| ## Specify a imagePullPolicy | |
| ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' | |
| ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images | |
| ## | |
| pullPolicy: IfNotPresent | |
| ## Optionally specify an array of imagePullSecrets. | |
| ## Secrets must be manually created in the namespace. | |
| ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | |
| ## Example: | |
| ## pullSecrets: | |
| ## - myRegistryKeySecretName | |
| ## | |
| pullSecrets: [] | |
| ## Set to true if you would like to see extra information on logs | |
| ## | |
| debug: true | |
| ## Keycloak authentication parameters | |
| ## ref: https://github.com/bitnami/bitnami-docker-keycloak#admin-credentials | |
| ## | |
| auth: | |
| ## Create administrator user on boot. | |
| ## | |
| createAdminUser: true | |
| ## Keycloak administrator user and password | |
| ## | |
| adminUser: admin | |
| adminPassword: admin | |
| ## Wildfly management user and password | |
| ## | |
| managementUser: manager | |
| managementPassword: manager | |
| ## An already existing secret containing auth info | |
| ## | |
| # existingSecret: | |
| # name: mySecret | |
| # keyMapping: | |
| # admin-password: myPasswordKey | |
| # management-password: myManagementPasswordKey | |
| # database-password: myDatabasePasswordKey | |
| # tls-keystore-password: myTlsKeystorePasswordKey | |
| # tls-truestore-password: myTlsTruestorePasswordKey | |
| ## TLS encryption parameters | |
| ## ref: https://github.com/bitnami/bitnami-docker-keycloak#tls-encryption | |
| ## | |
| tls: | |
| enabled: false | |
| ## Name of the existing secret containing the truststore and one keystore per Keycloak replica | |
| ## Create this secret following the steps below: | |
| ## 1) Generate your trustore and keystore files (more info at https://github.com/keycloak/keycloak-documentation/blob/master/openshift/topics/advanced_concepts.adoc#creating-https-and-jgroups-keystores-and-truststore-for-the-project_name-server) | |
| ## 2) Rename your truststore to `keycloak.truststore.jks`. | |
| ## 3) Rename your keystores to `keycloak-X.keystore.jks` where X is the ID of each Keycloak replica | |
| ## 4) Run the command below where SECRET_NAME is the name of the secret you want to create: | |
| ## kubectl create secret generic SECRET_NAME --from-file=./keycloak.truststore.jks --from-file=./keycloak-0.keystore.jks --from-file=./keycloak-1.keystore.jks ... | |
| ## | |
| # jksSecret: | |
| ## Password to access the keystore when it's password-protected. | |
| ## | |
| keystorePassword: "" | |
| ## Password to access the truststore when it's password-protected. | |
| ## | |
| truststorePassword: "" | |
| ## Init container parameters: | |
| ## | |
| image: | |
| registry: docker.io | |
| repository: bitnami/minideb | |
| tag: buster | |
| pullPolicy: Always | |
| ## Optionally specify an array of imagePullSecrets. | |
| ## Secrets must be manually created in the namespace. | |
| ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | |
| ## | |
| pullSecrets: [] | |
| ## - myRegistryKeySecretName | |
| ## Init containers' resource requests and limits | |
| ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ | |
| ## | |
| resources: | |
| ## We usually recommend not to specify default resources and to leave this as a conscious | |
| ## choice for the user. This also increases chances charts run on environments with little | |
| ## resources, such as Minikube. If you do want to specify resources, uncomment the following | |
| ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. | |
| ## | |
| limits: {} | |
| ## cpu: 100m | |
| ## memory: 128Mi | |
| ## | |
| requests: {} | |
| ## cpu: 100m | |
| ## memory: 128Mi | |
| ## | |
| ## Enable Proxy Address Forwarding | |
| ## ref: https://www.keycloak.org/docs/latest/server_installation/#_setting-up-a-load-balancer-or-proxy | |
| ## | |
| proxyAddressForwarding: true | |
| ## Keycloak Service Discovery settings | |
| ## ref: https://github.com/bitnami/bitnami-docker-keycloak#cluster-configuration | |
| ## | |
| serviceDiscovery: | |
| enabled: false | |
| ## Sets the protocol that Keycloak nodes would use to discover new peers | |
| ## Available protocols can be found at http://www.jgroups.org/javadoc3/org/jgroups/protocols/ | |
| ## | |
| protocol: kubernetes.KUBE_PING | |
| ## Properties for the discovery protocol set in serviceDiscovery.protocol parameter | |
| ## List of key=>value pairs | |
| ## Example: | |
| ## properties: | |
| ## - datasource_jndi_name=>"java:jboss/datasources/KeycloakDS" | |
| ## - initialize_sql=>"CREATE TABLE IF NOT EXISTS JGROUPSPING ( own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, created timestamp default current_timestamp, ping_data BYTEA, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))" | |
| ## | |
| properties: [] | |
| ## Transport stack for the discovery protocol set in serviceDiscovery.protocol parameter | |
| ## | |
| transportStack: tcp | |
| ## Keycloak cache settings | |
| ## ref: https://github.com/bitnami/bitnami-docker-keycloak#cluster-configuration | |
| ## | |
| cache: | |
| ## Number of nodes that will replicate cached data | |
| ## | |
| ownersCount: 1 | |
| ## Number of nodes that will replicate cached authentication data | |
| ## | |
| authOwnersCount: 1 | |
| ## Keycloak Configuration | |
| ## Specify content for standalone-ha.xml | |
| ## NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart) | |
| ## The standalone-ha.xml is auto-generated based on other parameters when this parameter is not specified | |
| ## | |
| ## Example: | |
| ## configuration: |- | |
| ## foo: bar | |
| ## baz: | |
| ## | |
| # configuration: | |
| ## Existing ConfigMap with Keycloak Configuration | |
| ## NOTE: When it's set the configuration parameter is ignored | |
| ## | |
| # existingConfigmap: | |
| ## Add extra args to default startup command | |
| ## | |
| extraStartupArgs: | |
| ## initdb scripts | |
| ## Specify dictionary of scripts to be run at first boot | |
| ## ref: https://github.com/bitnami/bitnami-docker-keycloak#initializing-a-new-instance | |
| ## Example: | |
| ## initdbScripts: | |
| ## my_init_script.sh: | | |
| ## #!/bin/bash | |
| ## echo "Do something." | |
| ## | |
| initdbScripts: {} | |
| ## Existing ConfigMap with custom init scripts | |
| ## | |
| # initdbScriptsConfigMap: | |
| ## Command and args for running the container (set to default if not set). Use array form | |
| ## | |
| command: [] | |
| args: [] | |
| ## An array to add extra env vars | |
| ## Example: | |
| ## extraEnvVars: | |
| ## - name: FOO | |
| ## value: "bar" | |
| ## | |
| extraEnvVars: | |
| - name: PROXY_ADDRESS_FORWARDING | |
| value: "true" | |
| - name: KEYCLOAK_FRONTEND_URL | |
| value: "https://kc-greg.illumidesk.com" | |
| ## ConfigMap with extra environment variables | |
| ## | |
| extraEnvVarsCM: | |
| ## Secret with extra environment variables | |
| ## | |
| extraEnvVarsSecret: | |
| ## Number of Keycloak replicas to deploy | |
| ## | |
| replicaCount: 1 | |
| ## Keycloak container ports to open | |
| ## | |
| containerPorts: | |
| http: 8080 | |
| https: 8443 | |
| ## Keycloak containers' SecurityContext | |
| ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod | |
| ## | |
| podSecurityContext: | |
| enabled: true | |
| fsGroup: 1001 | |
| ## Keycloak pods' Security Context | |
| ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container | |
| ## | |
| containerSecurityContext: | |
| enabled: true | |
| runAsUser: 1001 | |
| runAsNonRoot: true | |
| ## Keycloak resource requests and limits | |
| ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ | |
| ## | |
| resources: | |
| # We usually recommend not to specify default resources and to leave this as a conscious | |
| # choice for the user. This also increases chances charts run on environments with little | |
| # resources, such as Minikube. If you do want to specify resources, uncomment the following | |
| # lines, adjust them as necessary, and remove the curly braces after 'resources:'. | |
| limits: {} | |
| # cpu: 200m | |
| # memory: 256Mi | |
| requests: {} | |
| # cpu: 200m | |
| # memory: 10Mi | |
| ## Keycloak containers' liveness and readiness probes. | |
| ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes | |
| ## | |
| livenessProbe: | |
| enabled: true | |
| httpGet: | |
| path: /auth/ | |
| port: http | |
| initialDelaySeconds: 300 | |
| periodSeconds: 1 | |
| timeoutSeconds: 5 | |
| failureThreshold: 3 | |
| successThreshold: 1 | |
| readinessProbe: | |
| enabled: true | |
| httpGet: | |
| path: /auth/realms/master | |
| port: http | |
| initialDelaySeconds: 30 | |
| periodSeconds: 10 | |
| timeoutSeconds: 1 | |
| failureThreshold: 3 | |
| successThreshold: 1 | |
| ## Custom Liveness probes for Keycloak | |
| ## | |
| customLivenessProbe: {} | |
| ## Custom Rediness probes Keycloak | |
| ## | |
| customReadinessProbe: {} | |
| ## Strategy to use to update Pods | |
| ## | |
| updateStrategy: | |
| ## StrategyType | |
| ## Can be set to RollingUpdate or OnDelete | |
| ## | |
| type: RollingUpdate | |
| ## Pod affinity preset | |
| ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity | |
| ## Allowed values: soft, hard | |
| ## | |
| podAffinityPreset: "" | |
| ## Pod anti-affinity preset | |
| ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity | |
| ## Allowed values: soft, hard | |
| ## | |
| podAntiAffinityPreset: soft | |
| ## Node affinity preset | |
| ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity | |
| ## Allowed values: soft, hard | |
| ## | |
| nodeAffinityPreset: | |
| ## Node affinity type | |
| ## Allowed values: soft, hard | |
| ## | |
| type: "" | |
| ## Node label key to match | |
| ## E.g. | |
| ## key: "kubernetes.io/e2e-az-name" | |
| ## | |
| key: "" | |
| ## Node label values to match | |
| ## E.g. | |
| ## values: | |
| ## - e2e-az1 | |
| ## - e2e-az2 | |
| ## | |
| values: [] | |
| ## Affinity for pod assignment. Evaluated as a template. | |
| ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity | |
| ## | |
| affinity: {} | |
| ## Node labels for pod assignment. Evaluated as a template. | |
| ## ref: https://kubernetes.io/docs/user-guide/node-selection/ | |
| ## | |
| nodeSelector: {} | |
| ## Tolerations for pod assignment. Evaluated as a template. | |
| ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ | |
| ## | |
| tolerations: [] | |
| ## Pod extra labels | |
| ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ | |
| ## | |
| podLabels: {} | |
| ## Annotations for server pods. | |
| ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | |
| ## | |
| podAnnotations: {} | |
| ## Keycloak pods' priority. | |
| ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ | |
| ## | |
| # priorityClassName: "" | |
| ## lifecycleHooks for the Keycloak container to automate configuration before or after startup. | |
| ## | |
| lifecycleHooks: {} | |
| ## Extra volumes to add to the deployment | |
| ## | |
| extraVolumes: [] | |
| ## Extra volume mounts to add to the container | |
| ## | |
| extraVolumeMounts: [] | |
| ## Add init containers to the Keycloak pods. | |
| ## Example: | |
| ## initContainers: | |
| ## - name: your-image-name | |
| ## image: your-image | |
| ## imagePullPolicy: Always | |
| ## ports: | |
| ## - name: portname | |
| ## containerPort: 1234 | |
| ## | |
| initContainers: {} | |
| ## Add sidecars to the Keycloak pods. | |
| ## Example: | |
| ## sidecars: | |
| ## - name: your-image-name | |
| ## image: your-image | |
| ## imagePullPolicy: Always | |
| ## ports: | |
| ## - name: portname | |
| ## containerPort: 1234 | |
| ## | |
| sidecars: {} | |
| ## Service configuration | |
| ## | |
| service: | |
| ## Service type. | |
| ## | |
| type: ClusterIP | |
| ## HTTP Port | |
| ## | |
| port: 80 | |
| ## HTTPS Port | |
| ## | |
| httpsPort: 443 | |
| ## Specify the nodePort values for the LoadBalancer and NodePort service types. | |
| ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport | |
| ## | |
| nodePorts: | |
| http: "" | |
| https: "" | |
| ## Service clusterIP. | |
| ## | |
| # clusterIP: None | |
| ## loadBalancerIP for the SuiteCRM Service (optional, cloud specific) | |
| ## ref: http://kubernetes.io/docs/user-guide/services/#type-loadbalancer | |
| ## | |
| # loadBalancerIP: | |
| ## Load Balancer sources | |
| ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service | |
| ## Example: | |
| ## loadBalancerSourceRanges: | |
| ## - 10.10.10.0/24 | |
| ## | |
| loadBalancerSourceRanges: [] | |
| ## Enable client source IP preservation | |
| ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip | |
| ## | |
| externalTrafficPolicy: Cluster | |
| ## Provide any additional annotations which may be required (evaluated as a template). | |
| ## | |
| annotations: {} | |
| ## Ingress configuration | |
| ## | |
| ingress: | |
| ## Set to true to enable ingress record generation | |
| ## | |
| enabled: true | |
| ## Set this to true in order to add the corresponding annotations for cert-manager | |
| ## | |
| certManager: false | |
| ## When the ingress is enabled, a host pointing to this will be created | |
| ## | |
| hostname: kc-greg.illumidesk.com | |
| ## Override API Version (automatically detected if not set) | |
| ## | |
| apiVersion: | |
| ## Ingress Path | |
| ## | |
| path: / | |
| ## Ingress Path type | |
| ## | |
| pathType: ImplementationSpecific | |
| ## Ingress annotations done as key:value pairs | |
| ## For a full list of possible ingress annotations, please see | |
| ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md | |
| ## | |
| ## If certManager is set to true, annotation kubernetes.io/tls-acme: "true" will automatically be set | |
| ## | |
| annotations: | |
| kubernetes.io/ingress.class: "nginx" | |
| # nginx.org/redirect-to-https: "true" | |
| # nginx.org/use-forwarded-headers: "false" | |
| ## Enable TLS configuration for the hostname defined at ingress.hostname parameter | |
| ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} | |
| ## You can use the ingress.secrets parameter to create this TLS secret, relay on cert-manager to create it, or | |
| ## let the chart create self-signed certificates for you | |
| ## | |
| tls: false | |
| ## The list of additional hostnames to be covered with this ingress record. | |
| ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array | |
| ## Example: | |
| ## extraHosts: | |
| ## - name: keycloak.local | |
| ## path: / | |
| ## | |
| extraHosts: [] | |
| ## The tls configuration for additional hostnames to be covered with this ingress record. | |
| ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls | |
| ## Example: | |
| ## extraTls: | |
| ## - hosts: | |
| ## - keycloak.local | |
| ## secretName: keycloak.local-tls | |
| ## | |
| extraTls: [] | |
| ## If you're providing your own certificates, please use this to add the certificates as secrets | |
| ## key and certificate should start with -----BEGIN CERTIFICATE----- or -----BEGIN RSA PRIVATE KEY----- | |
| ## name should line up with a secretName set further up | |
| ## | |
| ## If it is not set and you're using cert-manager, this is unneeded, as it will create the secret for you | |
| ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created | |
| ## It is also possible to create and manage the certificates outside of this helm chart | |
| ## Please see README.md for more information | |
| ## | |
| ## Example | |
| ## secrets: | |
| ## - name: aspnet-core.local-tls | |
| ## key: "" | |
| ## certificate: "" | |
| ## | |
| secrets: [] | |
| ## Network Policy configuration | |
| ## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ | |
| ## | |
| networkPolicy: | |
| ## Enable creation of NetworkPolicy resources | |
| ## | |
| enabled: false | |
| ## The Policy model to apply. When set to false, only pods with the correct | |
| ## client label will have network access to the ports Keycloak is listening | |
| ## on. When true, Keycloak will accept connections from any source | |
| ## (with the correct destination port). | |
| ## | |
| allowExternal: true | |
| ## Additional NetworkPolicy Ingress "from" rules to set. Note that all rules are OR-ed. | |
| ## Example: | |
| ## additionalRules: | |
| ## - matchLabels: | |
| ## - role: frontend | |
| ## - matchExpressions: | |
| ## - key: role | |
| ## operator: In | |
| ## values: | |
| ## - frontend | |
| ## | |
| additionalRules: {} | |
| ## Specifies whether RBAC resources should be created | |
| ## | |
| rbac: | |
| create: false | |
| ## Custom RBAC rules | |
| ## Example: | |
| ## rules: | |
| ## - apiGroups: | |
| ## - "" | |
| ## resources: | |
| ## - pods | |
| ## verbs: | |
| ## - get | |
| ## - list | |
| ## | |
| rules: [] | |
| ## Specifies whether a ServiceAccount should be created | |
| ## | |
| serviceAccount: | |
| create: true | |
| ## The name of the ServiceAccount to use. | |
| ## If not set and create is true, a name is generated using the fullname template | |
| ## | |
| name: "" | |
| ## Keycloak Pod Disruption Budget configuration | |
| ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ | |
| ## | |
| pdb: | |
| create: false | |
| ## Min number of pods that must still be available after the eviction | |
| ## | |
| minAvailable: 1 | |
| ## Max number of pods that can be unavailable after the eviction | |
| ## | |
| # maxUnavailable: 1 | |
| ## Keycloak Autoscaling configuration | |
| ## | |
| autoscaling: | |
| enabled: false | |
| minReplicas: 1 | |
| maxReplicas: 11 | |
| # targetCPU: 50 | |
| # targetMemory: 50 | |
| ## Metrics configuration | |
| ## | |
| metrics: | |
| ## Enable Keycloak statistics | |
| ## ref: https://github.com/bitnami/bitnami-docker-keycloak#enabling-statistics | |
| ## | |
| enabled: false | |
| ## Keycloak metrics service parameters | |
| ## | |
| service: | |
| ## HTTP management port | |
| ## | |
| port: 9990 | |
| ## Annotations for the Prometheus exporter service | |
| ## | |
| annotations: | |
| prometheus.io/scrape: "true" | |
| prometheus.io/port: "{{ .Values.metrics.service.port }}" | |
| ## Prometheus Operator ServiceMonitor configuration | |
| ## | |
| serviceMonitor: | |
| ## If the operator is installed in your cluster, set to true to create a Service Monitor Entry | |
| ## | |
| enabled: false | |
| ## Specify the namespace in which the serviceMonitor resource will be created | |
| ## | |
| # namespace: "" | |
| ## Specify the interval at which metrics should be scraped | |
| ## | |
| interval: 30s | |
| ## Specify the timeout after which the scrape is ended | |
| ## | |
| # scrapeTimeout: 30s | |
| ## Specify Metric Relabellings to add to the scrape endpoint | |
| ## | |
| # relabellings: | |
| ## Specify honorLabels parameter to add the scrape endpoint | |
| ## | |
| honorLabels: false | |
| ## Specify the release for ServiceMonitor. Sometimes it should be custom for prometheus operator to work | |
| ## | |
| # release: "" | |
| ## Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with | |
| ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec | |
| ## | |
| additionalLabels: {} | |
| ## | |
| ## PostgreSQL chart configuration | |
| ## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/values.yaml | |
| ## | |
| postgresql: | |
| ## Whether to deploy a postgresql server to satisfy the applications database requirements. To use an external database set this to false and configure the externalDatabase parameters | |
| ## | |
| enabled: true | |
| ## PostgreSQL user (has superuser privileges if username is `postgres`) | |
| ## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run | |
| ## | |
| postgresqlUsername: keycloak | |
| ## PostgreSQL password | |
| ## Defaults to a random 10-character alphanumeric string if not set | |
| ## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run | |
| ## | |
| postgresqlPassword: password | |
| ## Database name to create | |
| ## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run | |
| ## | |
| postgresqlDatabase: keycloak | |
| ## In case of postgresql.enabled = true, allow the usage of existing secrets for postgresql | |
| ## | |
| existingSecret: | |
| ## PostgreSQL data Persistent Volume Storage Class | |
| ## | |
| persistence: | |
| enabled: true | |
| ## | |
| ## External database configuration | |
| ## | |
| externalDatabase: | |
| ## Database host | |
| ## | |
| host: "" | |
| ## Database port | |
| ## | |
| port: 5432 | |
| ## non admin username for Keycloak Database | |
| ## | |
| user: bn_keycloak | |
| ## Database password | |
| ## | |
| password: "" | |
| ## Database name | |
| ## | |
| database: bitnami_keycloak |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment