create a keycloak for Aether RBAC testing
Change-Id: I50df90f59795e3cf4c1fc1989606965e927daebd
diff --git a/keycloak/README.md b/keycloak/README.md
new file mode 100644
index 0000000..de4247c
--- /dev/null
+++ b/keycloak/README.md
@@ -0,0 +1,79 @@
+<!--
+SPDX-FileCopyrightText: 2023-present Intel Corporation
+
+SPDX-License-Identifier: Apache-2.0
+-->
+
+# Keycloak Helm Chart configuration
+
+[Keycloak] is Open Source Identity and Access Management for Modern Applications and
+Services.
+
+It can also act as a Federated [OpenID Connect] provider. It can connect to a variety of backends.
+In this deployment it is not connected to a backend, and just uses its own internal format
+persisted to a local Postgres DB.
+
+This chart can be deployed alongside [onos-umbrella](../onos-umbrella) or any other umbrella
+chart that requires an OpenID provider.
+
+## Helm install
+Add the Bitnami repo to `helm`, if you don't already have them:
+```
+helm repo add bitnami https://charts.bitnami.com/bitnami
+helm repo update
+```
+
+To install the standalone Keycloak server in to a namespace e.g. `aether` use:
+
+```shell
+helm -n aether install keycloak bitnami/keycloak -f onosproject/onos-helm-charts/keycloak/values.yaml
+```
+
+This will make it available at http://localhost:80
+
+Now GUI applications with security enabled will redirect to this `localhost:80`
+and when login is successful will redirect to an authenticated GUI.
+
+> To test it, browse to http://localhost/realms/master/.well-known/openid-configuration to see the configuration.
+
+There are 7 users in 8 groups with the LDIF defined in `values.yaml`
+
+```
+User login Group: mixedGroup charactersGroup AetherROCAdmin EnterpriseAdmin starbucks acme defaultent aiab-enterprise
+===================================================================================================================================================================
+Alice Admin alicea@opennetworking.org ✓ ✓
+Bob Cratchit bobc@opennetworking.org ✓ ✓
+Charlie Brown charlieb@opennetworking.org ✓
+Daisy Duke daisyd@opennetworking.org ✓ ✓ ✓ ✓
+Elmer Fudd elmerf@opennetworking.org ✓ ✓ ✓
+Fred Flintstone fredf@opennetworking.org ✓ ✓ ✓ ✓
+Gandalf The Grey gandalfg@opennetworking.org ✓ ✓ ✓
+```
+
+The password for each is `password`
+
+> Verify the login details at http://localhost/realms/master/account/
+
+To use this service with `aether-roc-umbrella` chart, deploy in Helm with the following flags:
+```
+helm -n aether install aether-roc-umbrella aether/aether-roc-umbrella \
+ --set onos-config.openpolicyagent.enabled=true \
+ --set onos-config.openpolicyagent.regoConfigMap=aether-roc-umbrella-opa-rbac \
+ --set onos-config.openidc.issuer=http://keycloak/realms/master \
+ --set aether-roc-api.openidc.issuer=http://keycloak/realms/master \
+ --set aether-roc-gui-v2-1.openidc.issuer=http://localhost/realms/master \
+ --set prom-label-proxy-acc.config.openidc.issuer=http://keycloak/realms/master \
+ --set prom-label-proxy-amp.config.openidc.issuer=http://keycloak/realms/master
+```
+
+> Note here that the connection to keycloak is inside the cluster for the backend services at `http://keycloak`
+> whereas the GUI connects to `http://localhost`
+
+> Note also that the `regoConfigMap` value includes the name of the deployment
+
+## Administration
+The Keycloak Admin console can be reached at http://localhost `admin/admin`
+
+
+[Keycloak]: https://www.keycloak.org/
+[OpenID Connect]: https://openid.net/connect/
\ No newline at end of file
diff --git a/keycloak/values.yaml b/keycloak/values.yaml
new file mode 100644
index 0000000..aecf809
--- /dev/null
+++ b/keycloak/values.yaml
@@ -0,0 +1,1316 @@
+# SPDX-FileCopyrightText: 2023-present Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Overrides of the Keycloak Helm chart - see [here](https://github.com/bitnami/charts/tree/main/bitnami/keycloak/#installing-the-chart)
+# for documentation
+global:
+ imageRegistry: ""
+ ## E.g.
+ ## imagePullSecrets:
+ ## - myRegistryKeySecretName
+ ##
+ imagePullSecrets: [ ]
+ storageClass: ""
+
+## @section Common parameters
+##
+
+## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
+##
+kubeVersion: ""
+## @param nameOverride String to partially override common.names.fullname
+##
+nameOverride: ""
+## @param fullnameOverride String to fully override common.names.fullname
+##
+fullnameOverride: ""
+## @param namespaceOverride String to fully override common.names.namespace
+##
+namespaceOverride: ""
+## @param commonLabels Labels to add to all deployed objects
+##
+commonLabels: { }
+## @param enableServiceLinks If set to false, disable Kubernetes service links in the pod spec
+## Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service
+##
+enableServiceLinks: true
+## @param commonAnnotations Annotations to add to all deployed objects
+##
+commonAnnotations: { }
+## @param clusterDomain Default Kubernetes cluster domain
+##
+clusterDomain: cluster.local
+## @param extraDeploy Array of extra objects to deploy with the release
+##
+extraDeploy: [ ]
+## Enable diagnostic mode in the statefulset
+##
+diagnosticMode:
+ ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
+ ##
+ enabled: false
+ ## @param diagnosticMode.command Command to override all containers in the the statefulset
+ ##
+ command:
+ - sleep
+ ## @param diagnosticMode.args Args to override all containers in the the statefulset
+ ##
+ args:
+ - infinity
+
+## @section Keycloak parameters
+
+## Bitnami Keycloak image version
+## ref: https://hub.docker.com/r/bitnami/keycloak/tags/
+## @param image.registry Keycloak image registry
+## @param image.repository Keycloak image repository
+## @param image.tag Keycloak image tag (immutable tags are recommended)
+## @param image.digest Keycloak image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
+## @param image.pullPolicy Keycloak image pull policy
+## @param image.pullSecrets Specify docker-registry secret names as an array
+## @param image.debug Specify if debug logs should be enabled
+##
+image:
+ registry: docker.io
+ repository: bitnami/keycloak
+ tag: 21.0.2-debian-11-r0
+ digest: ""
+ ## Specify a imagePullPolicy
+ ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+ ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+ ##
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ## Example:
+ ## pullSecrets:
+ ## - myRegistryKeySecretName
+ ##
+ pullSecrets: [ ]
+ ## Set to true if you would like to see extra information on logs
+ ##
+ debug: false
+## Keycloak authentication parameters
+## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#admin-credentials
+##
+auth:
+ ## @param auth.adminUser Keycloak administrator user
+ ##
+ adminUser: admin
+ ## @param auth.adminPassword Keycloak administrator password for the new user
+ ##
+ adminPassword: admin
+ ## @param auth.existingSecret Existing secret containing Keycloak admin password
+ ##
+ existingSecret: ""
+ ## @param auth.passwordSecretKey Key where the Keycloak admin password is being stored inside the existing secret.
+ ##
+ passwordSecretKey: ""
+
+## HTTPS settings
+## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#tls-encryption
+##
+tls:
+ ## @param tls.enabled Enable TLS encryption. Required for HTTPs traffic.
+ ##
+ enabled: false
+ ## @param tls.autoGenerated Generate automatically self-signed TLS certificates. Currently only supports PEM certificates
+ ##
+ autoGenerated: false
+ ## @param tls.existingSecret Existing secret containing the TLS certificates per Keycloak replica
+ ## Create this secret following the steps below:
+ ## 1) Generate your truststore and keystore files (more info at https://www.keycloak.org/docs/latest/server_installation/#_setting_up_ssl)
+ ## 2) Rename your truststore to `keycloak.truststore.jks` or use a different name overwriting the value 'tls.truststoreFilename'.
+ ## 3) Rename your keystores to `keycloak.keystore.jks` or use a different name overwriting the value 'tls.keystoreFilename'.
+ ## 4) Run the command below where SECRET_NAME is the name of the secret you want to create:
+ ## kubectl create secret generic SECRET_NAME --from-file=./keycloak.truststore.jks --from-file=./keycloak.keystore.jks
+ ## NOTE: If usePem enabled, make sure the PEM key and cert are named 'tls.key' and 'tls.crt' respectively.
+ ##
+ existingSecret: ""
+ ## @param tls.usePem Use PEM certificates as input instead of PKS12/JKS stores
+ ## If "true", the Keycloak chart will look for the files keycloak.key and keycloak.crt inside the secret provided with 'existingSecret'.
+ ##
+ usePem: false
+ ## @param tls.truststoreFilename Truststore filename inside the existing secret
+ ##
+ truststoreFilename: "keycloak.truststore.jks"
+ ## @param tls.keystoreFilename Keystore filename inside the existing secret
+ ##
+ keystoreFilename: "keycloak.keystore.jks"
+ ## @param tls.keystorePassword Password to access the keystore when it's password-protected
+ ##
+ keystorePassword: ""
+ ## @param tls.truststorePassword Password to access the truststore when it's password-protected
+ ##
+ truststorePassword: ""
+ ## @param tls.passwordsSecret Secret containing the Keystore and Truststore passwords.
+ ##
+ passwordsSecret: ""
+
+## SPI TLS settings
+## ref: https://www.keycloak.org/server/keycloak-truststore
+##
+spi:
+ ## @param spi.existingSecret Existing secret containing the Keycloak truststore for SPI connection over HTTPS/TLS
+ ## Create this secret following the steps below:
+ ## 1) Rename your truststore to `keycloak-spi.truststore.jks` or use a different name overwriting the value 'spi.truststoreFilename'.
+ ## 2) Run the command below where SECRET_NAME is the name of the secret you want to create:
+ ## kubectl create secret generic SECRET_NAME --from-file=./keycloak-spi.truststore.jks --from-file=./keycloak.keystore.jks
+ ##
+ existingSecret: ""
+ ## @param spi.truststorePassword Password to access the truststore when it's password-protected
+ ##
+ truststorePassword: ""
+ ## @param spi.truststoreFilename Truststore filename inside the existing secret
+ ##
+ truststoreFilename: "keycloak-spi.truststore.jks"
+ ## @param spi.passwordsSecret Secret containing the SPI Truststore passwords.
+ ##
+ passwordsSecret: ""
+ ## @param spi.hostnameVerificationPolicy Verify the hostname of the server’s certificate. Allowed values: "ANY", "WILDCARD", "STRICT".
+ ##
+ hostnameVerificationPolicy: ""
+
+## @param production Run Keycloak in production mode. TLS configuration is required except when using proxy=edge.
+##
+production: false
+## @param proxy reverse Proxy mode edge, reencrypt, passthrough or none
+## ref: https://www.keycloak.org/server/reverseproxy
+##
+proxy: passthrough
+## @param httpRelativePath Set the path relative to '/' for serving resources. Useful if you are migrating from older version which were using '/auth/'
+## ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed
+##
+httpRelativePath: "/"
+## Keycloak Service Discovery settings
+## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#cluster-configuration
+##
+## @param configuration Keycloak Configuration. Auto-generated based on other parameters when not specified
+## Specify content for keycloak.conf
+## NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart)
+## The keycloak.conf is auto-generated based on other parameters when this parameter is not specified
+##
+## Example:
+## configuration: |-
+## foo: bar
+## baz:
+##
+configuration: ""
+## @param existingConfigmap Name of existing ConfigMap with Keycloak configuration
+## NOTE: When it's set the configuration parameter is ignored
+##
+existingConfigmap: ""
+## @param extraStartupArgs Extra default startup args
+##
+extraStartupArgs: ""
+## @param initdbScripts Dictionary of initdb scripts
+## Specify dictionary of scripts to be run at first boot
+## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#initializing-a-new-instance
+## Example:
+## initdbScripts:
+## my_init_script.sh: |
+## #!/bin/bash
+## echo "Do something."
+##
+initdbScripts: { }
+## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`)
+##
+initdbScriptsConfigMap: ""
+## @param command Override default container command (useful when using custom images)
+##
+command: [ ]
+## @param args Override default container args (useful when using custom images)
+##
+args: [ ]
+## @param extraEnvVars Extra environment variables to be set on Keycloak container
+## Example:
+## extraEnvVars:
+## - name: FOO
+## value: "bar"
+##
+extraEnvVars: [ ]
+## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars
+##
+extraEnvVarsCM: ""
+## @param extraEnvVarsSecret Name of existing Secret containing extra env vars
+##
+extraEnvVarsSecret: ""
+
+## @section Keycloak statefulset parameters
+
+## @param replicaCount Number of Keycloak replicas to deploy
+##
+replicaCount: 1
+## @param containerPorts.http Keycloak HTTP container port
+## @param containerPorts.https Keycloak HTTPS container port
+## @param containerPorts.infinispan Keycloak infinispan container port
+##
+containerPorts:
+ http: 8080
+ https: 8443
+ infinispan: 7800
+## @param extraContainerPorts Optionally specify extra list of additional port-mappings for Keycloak container
+##
+extraContainerPorts: [ ]
+
+## Keycloak pods' SecurityContext
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+## @param podSecurityContext.enabled Enabled Keycloak pods' Security Context
+## @param podSecurityContext.fsGroup Set Keycloak pod's Security Context fsGroup
+##
+podSecurityContext:
+ enabled: true
+ fsGroup: 1001
+## Keycloak containers' Security Context
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+## @param containerSecurityContext.enabled Enabled Keycloak containers' Security Context
+## @param containerSecurityContext.runAsUser Set Keycloak container's Security Context runAsUser
+## @param containerSecurityContext.runAsNonRoot Set Keycloak container's Security Context runAsNonRoot
+##
+containerSecurityContext:
+ enabled: true
+ runAsUser: 1001
+ runAsNonRoot: true
+## Keycloak resource requests and limits
+## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+## @param resources.limits The resources limits for the Keycloak containers
+## @param resources.requests The requested resources for the Keycloak containers
+##
+resources:
+ limits: { }
+ requests: { }
+## Configure extra options for Keycloak containers' liveness, readiness and startup probes
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+## @param livenessProbe.enabled Enable livenessProbe on Keycloak containers
+## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
+## @param livenessProbe.periodSeconds Period seconds for livenessProbe
+## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
+## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
+## @param livenessProbe.successThreshold Success threshold for livenessProbe
+##
+livenessProbe:
+ enabled: true
+ initialDelaySeconds: 300
+ periodSeconds: 1
+ timeoutSeconds: 5
+ failureThreshold: 3
+ successThreshold: 1
+## @param readinessProbe.enabled Enable readinessProbe on Keycloak containers
+## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
+## @param readinessProbe.periodSeconds Period seconds for readinessProbe
+## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
+## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
+## @param readinessProbe.successThreshold Success threshold for readinessProbe
+##
+readinessProbe:
+ enabled: true
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ timeoutSeconds: 1
+ failureThreshold: 3
+ successThreshold: 1
+## When enabling this, make sure to set initialDelaySeconds to 0 for livenessProbe and readinessProbe
+## @param startupProbe.enabled Enable startupProbe on Keycloak containers
+## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
+## @param startupProbe.periodSeconds Period seconds for startupProbe
+## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
+## @param startupProbe.failureThreshold Failure threshold for startupProbe
+## @param startupProbe.successThreshold Success threshold for startupProbe
+##
+startupProbe:
+ enabled: false
+ initialDelaySeconds: 30
+ periodSeconds: 5
+ timeoutSeconds: 1
+ failureThreshold: 60
+ successThreshold: 1
+## @param customLivenessProbe Custom Liveness probes for Keycloak
+##
+customLivenessProbe: { }
+## @param customReadinessProbe Custom Rediness probes Keycloak
+##
+customReadinessProbe: { }
+## @param customStartupProbe Custom Startup probes for Keycloak
+##
+customStartupProbe: { }
+## @param lifecycleHooks LifecycleHooks to set additional configuration at startup
+##
+lifecycleHooks: { }
+## @param hostAliases Deployment pod host aliases
+## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
+##
+hostAliases: [ ]
+## @param podLabels Extra labels for Keycloak pods
+## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+##
+podLabels: { }
+## @param podAnnotations Annotations for Keycloak pods
+## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+##
+podAnnotations: { }
+## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
+## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+##
+podAffinityPreset: ""
+## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
+## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
+##
+podAntiAffinityPreset: soft
+## Node affinity preset
+## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
+##
+nodeAffinityPreset:
+ ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
+ ##
+ type: ""
+ ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set.
+ ## E.g.
+ ## key: "kubernetes.io/e2e-az-name"
+ ##
+ key: ""
+ ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
+ ## E.g.
+ ## values:
+ ## - e2e-az1
+ ## - e2e-az2
+ ##
+ values: [ ]
+## @param affinity Affinity for pod assignment
+## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+##
+affinity: { }
+## @param nodeSelector Node labels for pod assignment
+## ref: https://kubernetes.io/docs/user-guide/node-selection/
+##
+nodeSelector: { }
+## @param tolerations Tolerations for pod assignment
+## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+##
+tolerations: [ ]
+## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
+## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
+##
+topologySpreadConstraints: [ ]
+## @param podManagementPolicy Pod management policy for the Keycloak statefulset
+##
+podManagementPolicy: Parallel
+## @param priorityClassName Keycloak pods' Priority Class Name
+## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
+##
+priorityClassName: ""
+## @param schedulerName Use an alternate scheduler, e.g. "stork".
+## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
+##
+schedulerName: ""
+## @param terminationGracePeriodSeconds Seconds Keycloak pod needs to terminate gracefully
+## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
+##
+terminationGracePeriodSeconds: ""
+## @param updateStrategy.type Keycloak statefulset strategy type
+## @param updateStrategy.rollingUpdate Keycloak statefulset rolling update configuration parameters
+## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
+##
+updateStrategy:
+ type: RollingUpdate
+ rollingUpdate: { }
+## @param extraVolumes Optionally specify extra list of additional volumes for Keycloak pods
+##
+extraVolumes: [ ]
+## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Keycloak container(s)
+##
+extraVolumeMounts: [ ]
+## @param initContainers Add additional init containers to the Keycloak pods
+## Example:
+## initContainers:
+## - name: your-image-name
+## image: your-image
+## imagePullPolicy: Always
+## ports:
+## - name: portname
+## containerPort: 1234
+##
+initContainers: [ ]
+## @param sidecars Add additional sidecar containers to the Keycloak pods
+## Example:
+## sidecars:
+## - name: your-image-name
+## image: your-image
+## imagePullPolicy: Always
+## ports:
+## - name: portname
+## containerPort: 1234
+##
+sidecars: [ ]
+
+## @section Exposure parameters
+##
+
+## Service configuration
+##
+service:
+ ## @param service.type Kubernetes service type
+ ##
+ type: LoadBalancer
+ ## @param service.http.enabled Enable http port on service
+ ##
+ http:
+ enabled: true
+ ## @param service.ports.http Keycloak service HTTP port
+ ## @param service.ports.https Keycloak service HTTPS port
+ ##
+ ports:
+ http: 80
+ https: 443
+ ## @param service.nodePorts [object] Specify the nodePort values for the LoadBalancer and NodePort service types.
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
+ ##
+ nodePorts:
+ http: ""
+ https: ""
+ ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin
+ ## Values: ClientIP or None
+ ## ref: https://kubernetes.io/docs/user-guide/services/
+ ##
+ sessionAffinity: None
+ ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
+ ## sessionAffinityConfig:
+ ## clientIP:
+ ## timeoutSeconds: 300
+ ##
+ sessionAffinityConfig: { }
+ ## @param service.clusterIP Keycloak service clusterIP IP
+ ## e.g:
+ ## clusterIP: None
+ ##
+ clusterIP: ""
+ ## @param service.loadBalancerIP loadBalancerIP for the SuiteCRM Service (optional, cloud specific)
+ ## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer
+ ##
+ loadBalancerIP: ""
+ ## @param service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer
+ ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
+ ## Example:
+ ## loadBalancerSourceRanges:
+ ## - 10.10.10.0/24
+ ##
+ loadBalancerSourceRanges: [ ]
+ ## @param service.externalTrafficPolicy Enable client source IP preservation
+ ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
+ ##
+ externalTrafficPolicy: Cluster
+ ## @param service.annotations Additional custom annotations for Keycloak service
+ ##
+ annotations: { }
+ ## @param service.extraPorts Extra port to expose on Keycloak service
+ ##
+ extraPorts: [ ]
+ # DEPRECATED service.extraHeadlessPorts will be removed in a future release, please use service.headless.extraPorts instead
+ ## @param service.extraHeadlessPorts Extra ports to expose on Keycloak headless service
+ ##
+ extraHeadlessPorts: [ ]
+ ## Headless service properties
+ ##
+ headless:
+ ## @param service.headless.annotations Annotations for the headless service.
+ ##
+ annotations: { }
+ ## @param service.headless.extraPorts Extra ports to expose on Keycloak headless service
+ ##
+ extraPorts: [ ]
+## Keycloak ingress parameters
+## ref: https://kubernetes.io/docs/user-guide/ingress/
+##
+ingress:
+ ## @param ingress.enabled Enable ingress record generation for Keycloak
+ ##
+ enabled: false
+ ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
+ ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
+ ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
+ ##
+ ingressClassName: ""
+ ## @param ingress.pathType Ingress path type
+ ##
+ pathType: ImplementationSpecific
+ ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
+ ##
+ apiVersion: ""
+ ## @param ingress.hostname Default host for the ingress record (evaluated as template)
+ ##
+ hostname: keycloak.local
+ ## @param ingress.path Default path for the ingress record
+ ##
+ path: /
+ ## @param ingress.servicePort Backend service port to use
+ ## Default is http. Alternative is https.
+ ##
+ servicePort: http
+ ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
+ ## Use this parameter to set the required annotations for cert-manager, see
+ ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
+ ## e.g:
+ ## annotations:
+ ## kubernetes.io/ingress.class: nginx
+ ## cert-manager.io/cluster-issuer: cluster-issuer-name
+ ##
+ annotations: { }
+ ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
+ ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}`
+ ## You can:
+ ## - Use the `ingress.secrets` parameter to create this TLS secret
+ ## - Rely on cert-manager to create it by setting the corresponding annotations
+ ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
+ ##
+ tls: false
+ ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
+ ##
+ selfSigned: false
+ ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
+ ## e.g:
+ ## extraHosts:
+ ## - name: keycloak.local
+ ## path: /
+ ##
+ extraHosts: [ ]
+ ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host.
+ ## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
+ ## extraPaths:
+ ## - path: /*
+ ## backend:
+ ## serviceName: ssl-redirect
+ ## servicePort: use-annotation
+ ##
+ extraPaths: [ ]
+ ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
+ ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
+ ## extraTls:
+ ## - hosts:
+ ## - keycloak.local
+ ## secretName: keycloak.local-tls
+ ##
+ extraTls: [ ]
+ ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
+ ## key and certificate should start with -----BEGIN CERTIFICATE----- or
+ ## -----BEGIN RSA PRIVATE KEY-----
+ ##
+ ## name should line up with a tlsSecret set further up
+ ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
+ ##
+ ## It is also possible to create and manage the certificates outside of this helm chart
+ ## Please see README.md for more information
+ ## e.g:
+ ## - name: keycloak.local-tls
+ ## key:
+ ## certificate:
+ ##
+ secrets: [ ]
+ ## @param ingress.extraRules Additional rules to be covered with this ingress record
+ ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
+ ## e.g:
+ ## extraRules:
+ ## - host: airflow.local
+ ## http:
+ ## path: /
+ ## backend:
+ ## service:
+ ## name: airflow-svc
+ ## port:
+ ## name: http
+ ##
+ extraRules: [ ]
+
+## Network Policy configuration
+## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+##
+networkPolicy:
+ ## @param networkPolicy.enabled Enable the default NetworkPolicy policy
+ ##
+ enabled: false
+ ## @param networkPolicy.allowExternal Don't require client label for connections
+ ## The Policy model to apply. When set to false, only pods with the correct
+ ## client label will have network access to the ports Keycloak is listening
+ ## on. When true, Keycloak will accept connections from any source
+ ## (with the correct destination port).
+ ##
+ allowExternal: true
+ ## @param networkPolicy.additionalRules Additional NetworkPolicy rules
+ ## Note that all rules are OR-ed.
+ ## Example:
+ ## additionalRules:
+ ## - matchLabels:
+ ## - role: frontend
+ ## - matchExpressions:
+ ## - key: role
+ ## operator: In
+ ## values:
+ ## - frontend
+ ##
+ additionalRules: { }
+
+## @section RBAC parameter
+## Specifies whether a ServiceAccount should be created
+##
+serviceAccount:
+ ## @param serviceAccount.create Enable the creation of a ServiceAccount for Keycloak pods
+ ##
+ create: true
+ ## @param serviceAccount.name Name of the created ServiceAccount
+ ## If not set and create is true, a name is generated using the fullname template
+ ##
+ name: ""
+ ## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod
+ ##
+ automountServiceAccountToken: true
+ ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
+ ##
+ annotations: { }
+ ## @param serviceAccount.extraLabels Additional labels for the ServiceAccount
+ ##
+ extraLabels: { }
+## Specifies whether RBAC resources should be created
+##
+rbac:
+ ## @param rbac.create Whether to create and use RBAC resources or not
+ ##
+ create: false
+ ## @param rbac.rules Custom RBAC rules
+ ## Example:
+ ## rules:
+ ## - apiGroups:
+ ## - ""
+ ## resources:
+ ## - pods
+ ## verbs:
+ ## - get
+ ## - list
+ ##
+ rules: [ ]
+
+## @section Other parameters
+##
+
+## Keycloak Pod Disruption Budget configuration
+## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+##
+pdb:
+ ## @param pdb.create Enable/disable a Pod Disruption Budget creation
+ ##
+ create: false
+ ## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
+ ##
+ minAvailable: 1
+ ## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
+ ##
+ maxUnavailable: ""
+## Keycloak Autoscaling configuration
+## @param autoscaling.enabled Enable autoscaling for Keycloak
+## @param autoscaling.minReplicas Minimum number of Keycloak replicas
+## @param autoscaling.maxReplicas Maximum number of Keycloak replicas
+## @param autoscaling.targetCPU Target CPU utilization percentage
+## @param autoscaling.targetMemory Target Memory utilization percentage
+##
+autoscaling:
+ enabled: false
+ minReplicas: 1
+ maxReplicas: 11
+ targetCPU: ""
+ targetMemory: ""
+
+## @section Metrics parameters
+##
+
+## Metrics configuration
+##
+metrics:
+ ## @param metrics.enabled Enable exposing Keycloak statistics
+ ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#enabling-statistics
+ ##
+ enabled: false
+ ## Keycloak metrics service parameters
+ ##
+ service:
+ ## @param metrics.service.ports.http Metrics service HTTP port
+ ##
+ ports:
+ http: 8080
+ ## @param metrics.service.annotations [object] Annotations for enabling prometheus to access the metrics endpoints
+ ##
+ annotations:
+ prometheus.io/scrape: "true"
+ prometheus.io/port: "{{ .Values.metrics.service.ports.http }}"
+ ## Prometheus Operator ServiceMonitor configuration
+ ##
+ serviceMonitor:
+ ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
+ ##
+ enabled: false
+ ## @param metrics.serviceMonitor.port Metrics service HTTP port
+ ##
+ port: http
+ ## @param metrics.serviceMonitor.endpoints [array] The endpoint configuration of the ServiceMonitor. Path is mandatory. Interval, timeout and labellings can be overwritten.
+ ##
+ endpoints:
+ - path: /metrics
+ - path: /realms/master/metrics
+ ## @param metrics.serviceMonitor.path Metrics service HTTP path. Deprecated: Use @param metrics.serviceMonitor.endpoints instead
+ ##
+ path: ""
+ ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in
+ ##
+ namespace: ""
+ ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
+ ##
+ interval: 30s
+ ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
+ ## e.g:
+ ## scrapeTimeout: 30s
+ ##
+ scrapeTimeout: ""
+ ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus
+ ##
+ labels: { }
+ ## @param metrics.serviceMonitor.selector Prometheus instance selector labels
+ ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration
+ ##
+ selector: { }
+ ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
+ ##
+ relabelings: [ ]
+ ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
+ ##
+ metricRelabelings: [ ]
+ ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
+ ##
+ honorLabels: false
+ ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
+ ##
+ jobLabel: ""
+ ## Prometheus Operator alert rules configuration
+ ##
+ prometheusRule:
+ ## @param metrics.prometheusRule.enabled Create PrometheusRule Resource for scraping metrics using PrometheusOperator
+ ##
+ enabled: false
+ ## @param metrics.prometheusRule.namespace Namespace which Prometheus is running in
+ ##
+ namespace: ""
+ ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus
+ ##
+ labels: { }
+ ## @param metrics.prometheusRule.groups Groups, containing the alert rules.
+ ## Example:
+ ## groups:
+ ## - name: Keycloak
+ ## rules:
+ ## - alert: KeycloakInstanceNotAvailable
+ ## annotations:
+ ## message: "Keycloak instance in namespace {{ `{{` }} $labels.namespace {{ `}}` }} has not been available for the last 5 minutes."
+ ## expr: |
+ ## absent(kube_pod_status_ready{namespace="{{ include "common.names.namespace" . }}", condition="true"} * on (pod) kube_pod_labels{pod=~"{{ include "common.names.fullname" . }}-\\d+", namespace="{{ include "common.names.namespace" . }}"}) != 0
+ ## for: 5m
+ ## labels:
+ ## severity: critical
+ groups: [ ]
+
+## @section keycloak-config-cli parameters
+
+## Configuration for keycloak-config-cli
+## ref: https://github.com/adorsys/keycloak-config-cli
+##
+keycloakConfigCli:
+ ## @param keycloakConfigCli.enabled Whether to enable keycloak-config-cli job
+ ##
+ enabled: true
+ ## Bitnami keycloak-config-cli image
+ ## ref: https://hub.docker.com/r/bitnami/keycloak-config-cli/tags/
+ ## @param keycloakConfigCli.image.registry keycloak-config-cli container image registry
+ ## @param keycloakConfigCli.image.repository keycloak-config-cli container image repository
+ ## @param keycloakConfigCli.image.tag keycloak-config-cli container image tag
+ ## @param keycloakConfigCli.image.digest keycloak-config-cli container image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
+ ## @param keycloakConfigCli.image.pullPolicy keycloak-config-cli container image pull policy
+ ## @param keycloakConfigCli.image.pullSecrets keycloak-config-cli container image pull secrets
+ ##
+ image:
+ registry: docker.io
+ repository: bitnami/keycloak-config-cli
+ tag: 5.6.1-debian-11-r5
+ digest: ""
+ ## Specify a imagePullPolicy
+ ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+ ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+ ##
+ pullPolicy: IfNotPresent
+ ## Optionally specify an array of imagePullSecrets.
+ ## Secrets must be manually created in the namespace.
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+ ## e.g:
+ ## pullSecrets:
+ ## - myRegistryKeySecretName
+ ##
+ pullSecrets: [ ]
+ ## @param keycloakConfigCli.annotations [object] Annotations for keycloak-config-cli job
+ ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+ ##
+ annotations:
+ helm.sh/hook: "post-install,post-upgrade,post-rollback"
+ helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+ helm.sh/hook-weight: "5"
+ ## @param keycloakConfigCli.command Command for running the container (set to default if not set). Use array form
+ ##
+ command:
+ - java
+ - -jar
+ - /opt/bitnami/keycloak-config-cli/keycloak-config-cli.jar
+ ## @param keycloakConfigCli.args Args for running the container (set to default if not set). Use array form
+ ##
+ args: [ ]
+ ## @param keycloakConfigCli.hostAliases Job pod host aliases
+ ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
+ ##
+ hostAliases: [ ]
+ ## Keycloak config CLI resource requests and limits
+ ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+ ## @param keycloakConfigCli.resources.limits The resources limits for the keycloak-config-cli container
+ ## @param keycloakConfigCli.resources.requests The requested resources for the keycloak-config-cli container
+ ##
+ resources:
+ limits: { }
+ requests: { }
+ ## keycloak-config-cli containers' Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
+ ## @param keycloakConfigCli.containerSecurityContext.enabled Enabled keycloak-config-cli containers' Security Context
+ ## @param keycloakConfigCli.containerSecurityContext.runAsUser Set keycloak-config-cli container's Security Context runAsUser
+ ## @param keycloakConfigCli.containerSecurityContext.runAsNonRoot Set keycloak-config-cli container's Security Context runAsNonRoot
+ ##
+ containerSecurityContext:
+ enabled: true
+ runAsUser: 1001
+ runAsNonRoot: true
+ ## keycloak-config-cli pods' Security Context
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+ ## @param keycloakConfigCli.podSecurityContext.enabled Enabled keycloak-config-cli pods' Security Context
+ ## @param keycloakConfigCli.podSecurityContext.fsGroup Set keycloak-config-cli pod's Security Context fsGroup
+ ##
+ podSecurityContext:
+ enabled: true
+ fsGroup: 1001
+ ## @param keycloakConfigCli.backoffLimit Number of retries before considering a Job as failed
+ ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy
+ ##
+ backoffLimit: 1
+ ## @param keycloakConfigCli.podLabels Pod extra labels
+ ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+ ##
+ podLabels: { }
+ ## @param keycloakConfigCli.podAnnotations Annotations for job pod
+ ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+ ##
+ podAnnotations: { }
+ ## @param keycloakConfigCli.extraEnvVars Additional environment variables to set
+ ## Example:
+ ## extraEnvVars:
+ ## - name: FOO
+ ## value: "bar"
+ ##
+ ## @param keycloakConfigCli.nodeSelector Node labels for pod assignment
+ ## ref: https://kubernetes.io/docs/user-guide/node-selection/
+ ##
+ nodeSelector: { }
+ ##
+ ## @param keycloakConfigCli.podTolerations Tolerations for job pod assignment
+ ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ ##
+ podTolerations: [ ]
+ extraEnvVars: [ ]
+ ## @param keycloakConfigCli.extraEnvVarsCM ConfigMap with extra environment variables
+ ##
+ extraEnvVarsCM: ""
+ ## @param keycloakConfigCli.extraEnvVarsSecret Secret with extra environment variables
+ ##
+ extraEnvVarsSecret: ""
+ ## @param keycloakConfigCli.extraVolumes Extra volumes to add to the job
+ ##
+ extraVolumes: [ ]
+ ## @param keycloakConfigCli.extraVolumeMounts Extra volume mounts to add to the container
+ ##
+ extraVolumeMounts: [ ]
+ ## @param keycloakConfigCli.initContainers Add additional init containers to the Keycloak config cli pod
+ ## Example:
+ ## initContainers:
+ ## - name: your-image-name
+ ## image: your-image
+ ## imagePullPolicy: Always
+ ## ports:
+ ## - name: portname
+ ## containerPort: 1234
+ ##
+ initContainers: [ ]
+ ## @param keycloakConfigCli.sidecars Add additional sidecar containers to the Keycloak config cli pod
+ ## Example:
+ ## sidecars:
+ ## - name: your-image-name
+ ## image: your-image
+ ## imagePullPolicy: Always
+ ## ports:
+ ## - name: portname
+ ## containerPort: 1234
+ ##
+ sidecars: [ ]
+ ## @param keycloakConfigCli.configuration keycloak-config-cli realms configuration
+ ## NOTE: nil keys will be considered files to import locally
+ ## Example:
+ ## configuration:
+ ## realm1.json: |
+ ## {
+ ## "realm": "realm1",
+ ## "clients": []
+ ## }
+ ## files/realm2.yaml:
+ ## realm3.yaml: |
+ ## realm: realm3
+ ## clients: []
+ ##
+ configuration:
+ realm-master.json: |
+ {
+ "realm": "master",
+ "displayName": "Aether Keycloak",
+ "displayNameHtml": "<img src='https://opennetworking.org/wp-content/uploads/2020/02/aether-logo.png'></img>",
+ "accessTokenLifespan": 86400,
+ "ssoSessionMaxLifespan": 86400,
+ "clients": [
+ {
+ "clientId": "aether-roc-gui",
+ "name": "Aether ROC GUI",
+ "rootUrl": "http://aether-roc-gui:31194",
+ "adminUrl": "http://aether-roc-gui:31194",
+ "enabled": true,
+ "clientAuthenticatorType": "client-secret",
+ "redirectUris": [
+ "http://aether-roc-gui:8183/*",
+ "http://localhost:8183/*",
+ "http://localhost:4200/*",
+ "http://aether-roc-gui:31194/*"
+ ],
+ "webOrigins": [
+ "http://localhost:8183",
+ "http://localhost:4200",
+ "http://aether-roc-gui:8183",
+ "http://aether-roc-gui:31194"
+ ],
+ "protocol": "openid-connect",
+ "fullScopeAllowed": true,
+ "defaultClientScopes": [
+ "profile",
+ "email"
+ ],
+ "optionalClientScopes": [
+ "roles",
+ "groups",
+ "offline_access"
+ ]
+ }
+ ],
+ "clientScopes": [
+ {
+ "name": "groups",
+ "description": "Groups scope",
+ "protocol": "openid-connect",
+ "attributes": {
+ "include.in.token.scope": "true",
+ "display.on.consent.screen": "true"
+ },
+ "protocolMappers": [
+ {
+ "name": "Groups Mapper",
+ "protocol": "openid-connect",
+ "protocolMapper": "oidc-group-membership-mapper",
+ "consentRequired": false,
+ "config": {
+ "full.path": "false",
+ "id.token.claim": "true",
+ "access.token.claim": "true",
+ "claim.name": "groups",
+ "userinfo.token.claim": "true"
+ }
+ }
+ ]
+ }
+ ],
+ "groups": [
+ {
+ "name": "AetherROCAdmin",
+ "path": "/AetherROCAdmin"
+ },
+ {
+ "name": "EnterpriseAdmin",
+ "path": "/EnterpriseAdmin"
+ },
+ {
+ "name": "acme",
+ "path": "/acme"
+ },
+ {
+ "name": "aiab-enterprise",
+ "path": "/aiab-enterprise"
+ },
+ {
+ "name": "defaultent",
+ "path": "/defaultent"
+ },
+ {
+ "name": "starbucks",
+ "path": "/starbucks"
+ },
+ {
+ "name": "charactersGroup",
+ "path": "/charactersGroup"
+ },
+ {
+ "name": "mixedGroup",
+ "path": "/mixedGroup"
+ }
+ ],
+ "users": [
+ {
+ "username" : "alicea",
+ "enabled" : true,
+ "totp" : false,
+ "emailVerified" : false,
+ "firstName" : "Alice",
+ "lastName" : "Admin",
+ "email" : "alicea@opennetworking.org",
+ "credentials": [
+ {
+ "type": "password",
+ "value": "password"
+ }
+ ],
+ "realmRoles" : [ "default-roles-master" ],
+ "groups" : [ "/mixedGroup", "/AetherROCAdmin" ],
+ "clientRoles": {
+ "account": [
+ "view-profile",
+ "manage-account"
+ ]
+ },
+ },
+ {
+ "username" : "bobc",
+ "enabled" : true,
+ "totp" : false,
+ "emailVerified" : false,
+ "firstName" : "Bob",
+ "lastName" : "Cratchit",
+ "email" : "bobc@opennetworking.org",
+ "credentials": [
+ {
+ "type": "password",
+ "value": "password"
+ }
+ ],
+ "realmRoles" : [ "default-roles-master" ],
+ "groups" : [ "/mixedGroup", "/charactersGroup" ],
+ "clientRoles": {
+ "account": [
+ "view-profile",
+ "manage-account"
+ ]
+ },
+ },
+ {
+ "username" : "charlieb",
+ "enabled" : true,
+ "totp" : false,
+ "emailVerified" : false,
+ "firstName" : "Charlie",
+ "lastName" : "Brown",
+ "email" : "charlieb@opennetworking.org",
+ "credentials": [
+ {
+ "type": "password",
+ "value": "password"
+ }
+ ],
+ "realmRoles" : [ "default-roles-master" ],
+ "groups" : [ "/charactersGroup" ],
+ "clientRoles": {
+ "account": [
+ "view-profile",
+ "manage-account"
+ ]
+ },
+ },
+ {
+ "username" : "daisyd",
+ "enabled" : true,
+ "totp" : false,
+ "emailVerified" : false,
+ "firstName" : "Daisy",
+ "lastName" : "Duke",
+ "email" : "daisyd@opennetworking.org",
+ "credentials": [
+ {
+ "type": "password",
+ "value": "password"
+ }
+ ],
+ "realmRoles" : [ "default-roles-master" ],
+ "groups" : [ "/charactersGroup", "/EnterpriseAdmin", "/starbucks", "/aiab-enterprise" ],
+ "clientRoles": {
+ "account": [
+ "view-profile",
+ "manage-account"
+ ]
+ },
+ },
+ {
+ "username" : "elmerf",
+ "enabled" : true,
+ "totp" : false,
+ "emailVerified" : false,
+ "firstName" : "Elmer",
+ "lastName" : "Fudd",
+ "email" : "elmerf@opennetworking.org",
+ "credentials": [
+ {
+ "type": "password",
+ "value": "password"
+ }
+ ],
+ "realmRoles" : [ "default-roles-master" ],
+ "groups" : [ "/charactersGroup", "/starbucks", "/aiab-enterprise" ],
+ "clientRoles": {
+ "account": [
+ "view-profile",
+ "manage-account"
+ ]
+ },
+ },
+ {
+ "username" : "fredf",
+ "enabled" : true,
+ "totp" : false,
+ "emailVerified" : false,
+ "firstName" : "Fred",
+ "lastName" : "Flintstone",
+ "email" : "fredf@opennetworking.org",
+ "credentials": [
+ {
+ "type": "password",
+ "value": "password"
+ }
+ ],
+ "realmRoles" : [ "default-roles-master" ],
+ "groups" : [ "/charactersGroup", "/EnterpriseAdmin", "/acme", "defaultent" ],
+ "clientRoles": {
+ "account": [
+ "view-profile",
+ "manage-account"
+ ]
+ },
+ },
+ {
+ "username" : "gandalfg",
+ "enabled" : true,
+ "totp" : false,
+ "emailVerified" : false,
+ "firstName" : "Gandalf",
+ "lastName" : "The Grey",
+ "email" : "gandalfg@opennetworking.org",
+ "credentials": [
+ {
+ "type": "password",
+ "value": "password"
+ }
+ ],
+ "realmRoles" : [ "default-roles-master" ],
+ "groups" : [ "/charactersGroup", "/acme", "defaultent" ],
+ "clientRoles": {
+ "account": [
+ "view-profile",
+ "manage-account"
+ ]
+ },
+ }
+ ]
+ }
+ ## @param keycloakConfigCli.existingConfigmap ConfigMap with keycloak-config-cli configuration. This will override `keycloakConfigCli.config`
+ ## NOTE: This will override keycloakConfigCli.configuration
+ ##
+ existingConfigmap: ""
+ ## Automatic Cleanup for Finished Jobs
+ ## @param keycloakConfigCli.cleanupAfterFinished.enabled Enables Cleanup for Finished Jobs
+ ## @param keycloakConfigCli.cleanupAfterFinished.seconds Sets the value of ttlSecondsAfterFinished
+ ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
+ ##
+ cleanupAfterFinished:
+ enabled: false
+ seconds: 600
+
+## @section Database parameters
+
+## PostgreSQL chart configuration
+## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml
+## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart
+## @param postgresql.auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided
+## @param postgresql.auth.username Name for a custom user to create
+## @param postgresql.auth.password Password for the custom user to create
+## @param postgresql.auth.database Name for a custom database to create
+## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials
+## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`)
+##
+postgresql:
+ enabled: true
+ auth:
+ postgresPassword: ""
+ username: bn_keycloak
+ password: ""
+ database: bitnami_keycloak
+ existingSecret: ""
+ architecture: standalone
+## External PostgreSQL configuration
+## All of these values are only used when postgresql.enabled is set to false
+## @param externalDatabase.host Database host
+## @param externalDatabase.port Database port number
+## @param externalDatabase.user Non-root username for Keycloak
+## @param externalDatabase.password Password for the non-root username for Keycloak
+## @param externalDatabase.database Keycloak database name
+## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials
+## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials
+##
+externalDatabase:
+ host: ""
+ port: 5432
+ user: bn_keycloak
+ database: bitnami_keycloak
+ password: ""
+ existingSecret: ""
+ existingSecretPasswordKey: ""
+
+## @section Keycloak Cache parameters
+
+## Keycloak cache configuration
+## ref: https://www.keycloak.org/server/caching
+## @param cache.enabled Switch to enable or disable the keycloak distributed cache for kubernetes.
+## NOTE: Set to false to use 'local' cache (only supported when replicaCount=1).
+## @param cache.stackName Set infinispan cache stack to use
+## @param cache.stackFile Set infinispan cache stack filename to use
+##
+cache:
+ enabled: true
+ stackName: kubernetes
+ stackFile: ""
+
+## @section Keycloak Logging parameters
+
+## Keycloak logging configuration
+## ref: https://www.keycloak.org/server/logging
+## @param logging.output Alternates between the default log output format or json format
+## @param logging.level Allowed values as documented: FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL, OFF
+##
+logging:
+ output: default
+ level: INFO