Last active
August 18, 2025 04:03
-
-
Save ruo91/69fc0aeb50c60593d09be9c44b323396 to your computer and use it in GitHub Desktop.
Example - KeyCloak Operator
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Step 1. Create Secret | |
| # oc create secret generic keycloak-temp-admin --from-literal=username=temp-admin --from-literal=password='Test12#$' -n keycloak | |
| # oc create secret generic keycloak-db --from-literal=username=keycloak --from-literal=password='Test12#$' -n keycloak | |
| # | |
| # Step 2. Initialize the Admin Account | |
| # oc rsh keycloak-0 | |
| # /opt/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080 --realm master --user temp-admin | |
| # /opt/keycloak/bin/kcadm.sh create users -r master -s username=admin -s enabled=true | |
| # /opt/keycloak/bin/kcadm.sh set-password -r master --username admin --new-password 'Test12#$' | |
| # /opt/keycloak/bin/kcadm.sh add-roles --uusername admin --rolename admin | |
| # | |
| # Step 3. Delete the temp-admin Account | |
| # ID=$(/opt/keycloak/bin/kcadm.sh get users -r master -q username=temp-admin | grep '"id"' | head -1 | cut -d'"' -f4) | |
| # /opt/keycloak/bin/kcadm.sh delete users/$ID -r master | |
| # | |
| ## 2Core, 2GiB Memory ## | |
| apiVersion: k8s.keycloak.org/v2alpha1 | |
| kind: Keycloak | |
| metadata: | |
| labels: | |
| apps: sso | |
| name: keycloak | |
| namespace: keycloak | |
| spec: | |
| proxy: | |
| headers: xforwarded | |
| #trustAddresses: | |
| # - 172.16.0.0/16 | |
| # - 10.128.0.0/14 | |
| # - 100.64.0.0/16 | |
| additionalOptions: | |
| - name: quarkus.http.idle-timeout | |
| value: "60S" | |
| - name: quarkus.http.read-timeout | |
| value: "30S" | |
| - name: quarkus.http.http2 | |
| value: "true" | |
| - name: quarkus.http.limits.max-headers | |
| value: "200" | |
| - name: quarkus.http.limits.max-header-size | |
| value: "40K" | |
| - name: quarkus.http.enable-compression | |
| value: "false" | |
| - name: quarkus.http.limits.max-connections | |
| value: "20000" | |
| - name: kc.events.enabled | |
| value: "false" | |
| - name: quarkus.http.threads | |
| value: "64" | |
| - name: quarkus.otel.enabled | |
| value: "false" | |
| - name: quarkus.thread-pool.max-threads | |
| value: "80" | |
| - name: quarkus.thread-pool.core-threads | |
| value: "16" | |
| - name: quarkus.thread-pool.queue-size | |
| value: "4096" | |
| - name: quarkus.thread-pool.growth-resistance | |
| value: "0.4" | |
| - name: quarkus.vertx.event-loops-pool-size | |
| value: "8" | |
| - name: quarkus.vertx.prefer-native-transport | |
| value: "true" | |
| - name: quarkus.transaction-manager.default-transaction-timeout | |
| value: "30S" | |
| - name: metrics-enabled | |
| value: "false" | |
| - name: quarkus.datasource.jdbc.additional-jdbc-properties.preferQueryMode | |
| value: "simple" | |
| - name: quarkus.datasource.jdbc.additional-jdbc-properties.prepareThreshold | |
| value: "1" | |
| - name: http-management-relative-path | |
| value: "/management" | |
| - name: log | |
| value: "console" | |
| - name: log.level | |
| value: "info" | |
| - name: log-console-level | |
| value: "info" | |
| resources: | |
| requests: | |
| cpu: 4 | |
| memory: 4Gi | |
| limits: | |
| cpu: 4 | |
| memory: 4Gi | |
| unsupported: | |
| podTemplate: | |
| spec: | |
| volumes: | |
| - name: keycloak-credentials-dir | |
| emptyDir: | |
| sizeLimit: 1Mi | |
| containers: | |
| - env: | |
| - name: JAVA_OPTS_KC_HEAP | |
| value: "-Xms2g -Xmx2500m" | |
| - name: JAVA_OPTS_APPEND | |
| value: >- | |
| -XX:-UseG1GC | |
| -XX:+UseZGC | |
| -XX:+ZGenerational | |
| -XX:MaxDirectMemorySize=1g | |
| -XX:+AlwaysPreTouch | |
| -XX:+ExitOnOutOfMemoryError | |
| -XX:+DisableExplicitGC | |
| -XX:ReservedCodeCacheSize=256m | |
| -XX:ActiveProcessorCount=4 | |
| -XX:+PerfDisableSharedMem | |
| -Dsun.net.inetaddr.ttl=60 | |
| -Dsun.net.inetaddr.negative.ttl=10 | |
| -Djava.net.preferIPv4Stack=true | |
| volumeMounts: | |
| - name: keycloak-credentials-dir | |
| mountPath: /.keycloak | |
| db: | |
| port: 5432 | |
| schema: public | |
| usernameSecret: | |
| key: username | |
| name: keycloak-db | |
| vendor: postgres | |
| host: postgresql | |
| poolInitialSize: 150 | |
| poolMinSize: 150 | |
| poolMaxSize: 400 | |
| passwordSecret: | |
| key: password | |
| name: keycloak-db | |
| database: keycloakdb | |
| bootstrapAdmin: | |
| user: | |
| secret: keycloak-temp-admin | |
| transaction: | |
| xaEnabled: false | |
| networkPolicy: | |
| enabled: true | |
| ingress: | |
| enabled: true | |
| hostname: | |
| hostname: 'https://keycloak.apps.ocp4.local' | |
| admin: 'https://keycloak.apps.ocp4.local' | |
| strict: true | |
| backchannelDynamic: false | |
| http: | |
| httpEnabled: true | |
| httpPort: 8080 | |
| httpsPort: 8443 | |
| #tlsSecret: keycloak-certs | |
| httpManagement: | |
| port: 9000 | |
| image: 'registry.ocp4.local:5000/keycloak/keycloak:26.1.4' | |
| instances: 1 | |
| scheduling: | |
| affinity: | |
| nodeAffinity: | |
| requiredDuringSchedulingIgnoredDuringExecution: | |
| nodeSelectorTerms: | |
| - matchExpressions: | |
| - key: node-role.kubernetes.io/worker | |
| operator: Exists | |
| tolerations: | |
| - effect: NoSchedule | |
| key: node-role.kubernetes.io/worker | |
| operator: Exists | |
| startOptimized: false | |
| --- | |
| ## 8Core, 8GiB Memory ## | |
| apiVersion: k8s.keycloak.org/v2alpha1 | |
| kind: Keycloak | |
| metadata: | |
| labels: | |
| apps: sso | |
| name: keycloak | |
| namespace: keycloak | |
| spec: | |
| proxy: | |
| headers: xforwarded | |
| #trustAddresses: | |
| # - 172.16.0.0/16 | |
| # - 10.128.0.0/14 | |
| # - 100.64.0.0/16 | |
| additionalOptions: | |
| - name: quarkus.http.idle-timeout | |
| value: "60S" | |
| - name: quarkus.http.read-timeout | |
| value: "30S" | |
| - name: quarkus.http.http2 | |
| value: "true" | |
| - name: quarkus.http.limits.max-headers | |
| value: "200" | |
| - name: quarkus.http.limits.max-header-size | |
| value: "40K" | |
| - name: quarkus.http.enable-compression | |
| value: "false" | |
| - name: quarkus.http.limits.max-connections | |
| value: "20000" | |
| - name: kc.events.enabled | |
| value: "false" | |
| - name: quarkus.http.threads | |
| value: "128" | |
| - name: quarkus.otel.enabled | |
| value: "false" | |
| - name: quarkus.thread-pool.max-threads | |
| value: "80" | |
| - name: quarkus.thread-pool.core-threads | |
| value: "32" | |
| - name: quarkus.thread-pool.queue-size | |
| value: "8192" | |
| - name: quarkus.thread-pool.growth-resistance | |
| value: "0.4" | |
| - name: quarkus.vertx.event-loops-pool-size | |
| value: "16" | |
| - name: quarkus.vertx.prefer-native-transport | |
| value: "true" | |
| - name: quarkus.transaction-manager.default-transaction-timeout | |
| value: "30S" | |
| - name: metrics-enabled | |
| value: "false" | |
| - name: quarkus.datasource.jdbc.additional-jdbc-properties.preferQueryMode | |
| value: "simple" | |
| - name: quarkus.datasource.jdbc.additional-jdbc-properties.prepareThreshold | |
| value: "1" | |
| - name: http-management-relative-path | |
| value: "/management" | |
| - name: log | |
| value: "console" | |
| - name: log.level | |
| value: "info" | |
| - name: log-console-level | |
| value: "info" | |
| resources: | |
| requests: | |
| cpu: 8 | |
| memory: 8Gi | |
| limits: | |
| cpu: 8 | |
| memory: 8Gi | |
| unsupported: | |
| podTemplate: | |
| spec: | |
| volumes: | |
| - name: keycloak-credentials-dir | |
| emptyDir: | |
| sizeLimit: 1Mi | |
| containers: | |
| - env: | |
| - name: JAVA_OPTS_KC_HEAP | |
| value: "-Xms6g -Xmx6g" | |
| - name: JAVA_OPTS_APPEND | |
| value: >- | |
| -XX:-UseG1GC | |
| -XX:+UseZGC | |
| -XX:+ZGenerational | |
| -XX:MaxDirectMemorySize=512m | |
| -XX:+AlwaysPreTouch | |
| -XX:+ExitOnOutOfMemoryError | |
| -XX:+DisableExplicitGC | |
| -XX:ReservedCodeCacheSize=256m | |
| -XX:ActiveProcessorCount=8 | |
| -XX:+PerfDisableSharedMem | |
| -Dsun.net.inetaddr.ttl=60 | |
| -Dsun.net.inetaddr.negative.ttl=10 | |
| -Djava.net.preferIPv4Stack=true | |
| volumeMounts: | |
| - name: keycloak-credentials-dir | |
| mountPath: /.keycloak | |
| db: | |
| port: 5432 | |
| schema: public | |
| usernameSecret: | |
| key: username | |
| name: keycloak-db | |
| vendor: postgres | |
| host: postgresql | |
| poolInitialSize: 150 | |
| poolMinSize: 150 | |
| poolMaxSize: 400 | |
| passwordSecret: | |
| key: password | |
| name: keycloak-db | |
| database: keycloakdb | |
| bootstrapAdmin: | |
| user: | |
| secret: keycloak-temp-admin | |
| transaction: | |
| xaEnabled: false | |
| networkPolicy: | |
| enabled: true | |
| ingress: | |
| enabled: true | |
| hostname: | |
| hostname: 'https://keycloak.apps.ocp4.local' | |
| admin: 'https://keycloak.apps.ocp4.local' | |
| strict: true | |
| backchannelDynamic: false | |
| http: | |
| httpEnabled: true | |
| httpPort: 8080 | |
| httpsPort: 8443 | |
| #tlsSecret: keycloak-certs | |
| httpManagement: | |
| port: 9000 | |
| image: 'registry.ocp4.local:5000/keycloak/keycloak:26.1.4' | |
| instances: 1 | |
| scheduling: | |
| affinity: | |
| nodeAffinity: | |
| requiredDuringSchedulingIgnoredDuringExecution: | |
| nodeSelectorTerms: | |
| - matchExpressions: | |
| - key: node-role.kubernetes.io/worker | |
| operator: Exists | |
| tolerations: | |
| - effect: NoSchedule | |
| key: node-role.kubernetes.io/worker | |
| operator: Exists | |
| startOptimized: false |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment