updated keycloak
Change-Id: I90950e989e0b0dd9a94fc1c03ed3a13a447a71b1
diff --git a/keycloak/README.md b/keycloak/README.md
index de4247c..e84b6cc 100644
--- a/keycloak/README.md
+++ b/keycloak/README.md
@@ -13,7 +13,7 @@
In this deployment it is not connected to a backend, and just uses its own internal format
persisted to a local Postgres DB.
-This chart can be deployed alongside [onos-umbrella](../onos-umbrella) or any other umbrella
+This chart can be deployed alongside [aether-roc-umbrella](../aether-roc-umbrella) or any other umbrella
chart that requires an OpenID provider.
## Helm install
@@ -26,9 +26,11 @@
To install the standalone Keycloak server in to a namespace e.g. `aether` use:
```shell
-helm -n aether install keycloak bitnami/keycloak -f onosproject/onos-helm-charts/keycloak/values.yaml
+helm -n aether install keycloak bitnami/keycloak -f keycloak/values.yaml
```
+> See the end of this page for uninstall instructions.
+
This will make it available at http://localhost:80
Now GUI applications with security enabled will redirect to this `localhost:80`
@@ -36,6 +38,13 @@
> To test it, browse to http://localhost/realms/master/.well-known/openid-configuration to see the configuration.
+> On KinD installations this LoadBalancer will not work and instead a port-forward will be needed e.g.
+>
+> `kubectl -n aether port-forward service/keycloak 8080:80`
+>
+> and replace `localhost` in instructions below with `localhost:8080`
+
+
There are 7 users in 8 groups with the LDIF defined in `values.yaml`
```
@@ -44,7 +53,7 @@
Alice Admin alicea@opennetworking.org ✓ ✓
Bob Cratchit bobc@opennetworking.org ✓ ✓
Charlie Brown charlieb@opennetworking.org ✓
-Daisy Duke daisyd@opennetworking.org ✓ ✓ ✓ ✓
+Daisy Duke daisyd@opennetworking.org ✓ ✓ ✓ ✓
Elmer Fudd elmerf@opennetworking.org ✓ ✓ ✓
Fred Flintstone fredf@opennetworking.org ✓ ✓ ✓ ✓
Gandalf The Grey gandalfg@opennetworking.org ✓ ✓ ✓
@@ -69,11 +78,15 @@
> Note here that the connection to keycloak is inside the cluster for the backend services at `http://keycloak`
> whereas the GUI connects to `http://localhost`
-> Note also that the `regoConfigMap` value includes the name of the deployment
-
## Administration
The Keycloak Admin console can be reached at http://localhost `admin/admin`
+## Uninstall
+To uninstall:
+```shell
+helm -n aether uninstall keycloak
+kubectl -n aether delete pvc data-keycloak-postgresql-0
+```
[Keycloak]: https://www.keycloak.org/
-[OpenID Connect]: https://openid.net/connect/
\ No newline at end of file
+[OpenID Connect]: https://openid.net/connect/
diff --git a/keycloak/values.yaml b/keycloak/values.yaml
index aecf809..9ec9b88 100644
--- a/keycloak/values.yaml
+++ b/keycloak/values.yaml
@@ -2,96 +2,6 @@
#
# SPDX-License-Identifier: Apache-2.0
-# Overrides of the Keycloak Helm chart - see [here](https://github.com/bitnami/charts/tree/main/bitnami/keycloak/#installing-the-chart)
-# for documentation
-global:
- imageRegistry: ""
- ## E.g.
- ## imagePullSecrets:
- ## - myRegistryKeySecretName
- ##
- imagePullSecrets: [ ]
- storageClass: ""
-
-## @section Common parameters
-##
-
-## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
-##
-kubeVersion: ""
-## @param nameOverride String to partially override common.names.fullname
-##
-nameOverride: ""
-## @param fullnameOverride String to fully override common.names.fullname
-##
-fullnameOverride: ""
-## @param namespaceOverride String to fully override common.names.namespace
-##
-namespaceOverride: ""
-## @param commonLabels Labels to add to all deployed objects
-##
-commonLabels: { }
-## @param enableServiceLinks If set to false, disable Kubernetes service links in the pod spec
-## Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service
-##
-enableServiceLinks: true
-## @param commonAnnotations Annotations to add to all deployed objects
-##
-commonAnnotations: { }
-## @param clusterDomain Default Kubernetes cluster domain
-##
-clusterDomain: cluster.local
-## @param extraDeploy Array of extra objects to deploy with the release
-##
-extraDeploy: [ ]
-## Enable diagnostic mode in the statefulset
-##
-diagnosticMode:
- ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
- ##
- enabled: false
- ## @param diagnosticMode.command Command to override all containers in the the statefulset
- ##
- command:
- - sleep
- ## @param diagnosticMode.args Args to override all containers in the the statefulset
- ##
- args:
- - infinity
-
-## @section Keycloak parameters
-
-## Bitnami Keycloak image version
-## ref: https://hub.docker.com/r/bitnami/keycloak/tags/
-## @param image.registry Keycloak image registry
-## @param image.repository Keycloak image repository
-## @param image.tag Keycloak image tag (immutable tags are recommended)
-## @param image.digest Keycloak image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
-## @param image.pullPolicy Keycloak image pull policy
-## @param image.pullSecrets Specify docker-registry secret names as an array
-## @param image.debug Specify if debug logs should be enabled
-##
-image:
- registry: docker.io
- repository: bitnami/keycloak
- tag: 21.0.2-debian-11-r0
- digest: ""
- ## Specify a imagePullPolicy
- ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
- ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
- ##
- pullPolicy: IfNotPresent
- ## Optionally specify an array of imagePullSecrets.
- ## Secrets must be manually created in the namespace.
- ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
- ## Example:
- ## pullSecrets:
- ## - myRegistryKeySecretName
- ##
- pullSecrets: [ ]
- ## Set to true if you would like to see extra information on logs
- ##
- debug: false
## Keycloak authentication parameters
## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#admin-credentials
##
@@ -102,717 +12,6 @@
## @param auth.adminPassword Keycloak administrator password for the new user
##
adminPassword: admin
- ## @param auth.existingSecret Existing secret containing Keycloak admin password
- ##
- existingSecret: ""
- ## @param auth.passwordSecretKey Key where the Keycloak admin password is being stored inside the existing secret.
- ##
- passwordSecretKey: ""
-
-## HTTPS settings
-## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#tls-encryption
-##
-tls:
- ## @param tls.enabled Enable TLS encryption. Required for HTTPs traffic.
- ##
- enabled: false
- ## @param tls.autoGenerated Generate automatically self-signed TLS certificates. Currently only supports PEM certificates
- ##
- autoGenerated: false
- ## @param tls.existingSecret Existing secret containing the TLS certificates per Keycloak replica
- ## Create this secret following the steps below:
- ## 1) Generate your truststore and keystore files (more info at https://www.keycloak.org/docs/latest/server_installation/#_setting_up_ssl)
- ## 2) Rename your truststore to `keycloak.truststore.jks` or use a different name overwriting the value 'tls.truststoreFilename'.
- ## 3) Rename your keystores to `keycloak.keystore.jks` or use a different name overwriting the value 'tls.keystoreFilename'.
- ## 4) Run the command below where SECRET_NAME is the name of the secret you want to create:
- ## kubectl create secret generic SECRET_NAME --from-file=./keycloak.truststore.jks --from-file=./keycloak.keystore.jks
- ## NOTE: If usePem enabled, make sure the PEM key and cert are named 'tls.key' and 'tls.crt' respectively.
- ##
- existingSecret: ""
- ## @param tls.usePem Use PEM certificates as input instead of PKS12/JKS stores
- ## If "true", the Keycloak chart will look for the files keycloak.key and keycloak.crt inside the secret provided with 'existingSecret'.
- ##
- usePem: false
- ## @param tls.truststoreFilename Truststore filename inside the existing secret
- ##
- truststoreFilename: "keycloak.truststore.jks"
- ## @param tls.keystoreFilename Keystore filename inside the existing secret
- ##
- keystoreFilename: "keycloak.keystore.jks"
- ## @param tls.keystorePassword Password to access the keystore when it's password-protected
- ##
- keystorePassword: ""
- ## @param tls.truststorePassword Password to access the truststore when it's password-protected
- ##
- truststorePassword: ""
- ## @param tls.passwordsSecret Secret containing the Keystore and Truststore passwords.
- ##
- passwordsSecret: ""
-
-## SPI TLS settings
-## ref: https://www.keycloak.org/server/keycloak-truststore
-##
-spi:
- ## @param spi.existingSecret Existing secret containing the Keycloak truststore for SPI connection over HTTPS/TLS
- ## Create this secret following the steps below:
- ## 1) Rename your truststore to `keycloak-spi.truststore.jks` or use a different name overwriting the value 'spi.truststoreFilename'.
- ## 2) Run the command below where SECRET_NAME is the name of the secret you want to create:
- ## kubectl create secret generic SECRET_NAME --from-file=./keycloak-spi.truststore.jks --from-file=./keycloak.keystore.jks
- ##
- existingSecret: ""
- ## @param spi.truststorePassword Password to access the truststore when it's password-protected
- ##
- truststorePassword: ""
- ## @param spi.truststoreFilename Truststore filename inside the existing secret
- ##
- truststoreFilename: "keycloak-spi.truststore.jks"
- ## @param spi.passwordsSecret Secret containing the SPI Truststore passwords.
- ##
- passwordsSecret: ""
- ## @param spi.hostnameVerificationPolicy Verify the hostname of the server’s certificate. Allowed values: "ANY", "WILDCARD", "STRICT".
- ##
- hostnameVerificationPolicy: ""
-
-## @param production Run Keycloak in production mode. TLS configuration is required except when using proxy=edge.
-##
-production: false
-## @param proxy reverse Proxy mode edge, reencrypt, passthrough or none
-## ref: https://www.keycloak.org/server/reverseproxy
-##
-proxy: passthrough
-## @param httpRelativePath Set the path relative to '/' for serving resources. Useful if you are migrating from older version which were using '/auth/'
-## ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed
-##
-httpRelativePath: "/"
-## Keycloak Service Discovery settings
-## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#cluster-configuration
-##
-## @param configuration Keycloak Configuration. Auto-generated based on other parameters when not specified
-## Specify content for keycloak.conf
-## NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart)
-## The keycloak.conf is auto-generated based on other parameters when this parameter is not specified
-##
-## Example:
-## configuration: |-
-## foo: bar
-## baz:
-##
-configuration: ""
-## @param existingConfigmap Name of existing ConfigMap with Keycloak configuration
-## NOTE: When it's set the configuration parameter is ignored
-##
-existingConfigmap: ""
-## @param extraStartupArgs Extra default startup args
-##
-extraStartupArgs: ""
-## @param initdbScripts Dictionary of initdb scripts
-## Specify dictionary of scripts to be run at first boot
-## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#initializing-a-new-instance
-## Example:
-## initdbScripts:
-## my_init_script.sh: |
-## #!/bin/bash
-## echo "Do something."
-##
-initdbScripts: { }
-## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`)
-##
-initdbScriptsConfigMap: ""
-## @param command Override default container command (useful when using custom images)
-##
-command: [ ]
-## @param args Override default container args (useful when using custom images)
-##
-args: [ ]
-## @param extraEnvVars Extra environment variables to be set on Keycloak container
-## Example:
-## extraEnvVars:
-## - name: FOO
-## value: "bar"
-##
-extraEnvVars: [ ]
-## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars
-##
-extraEnvVarsCM: ""
-## @param extraEnvVarsSecret Name of existing Secret containing extra env vars
-##
-extraEnvVarsSecret: ""
-
-## @section Keycloak statefulset parameters
-
-## @param replicaCount Number of Keycloak replicas to deploy
-##
-replicaCount: 1
-## @param containerPorts.http Keycloak HTTP container port
-## @param containerPorts.https Keycloak HTTPS container port
-## @param containerPorts.infinispan Keycloak infinispan container port
-##
-containerPorts:
- http: 8080
- https: 8443
- infinispan: 7800
-## @param extraContainerPorts Optionally specify extra list of additional port-mappings for Keycloak container
-##
-extraContainerPorts: [ ]
-
-## Keycloak pods' SecurityContext
-## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
-## @param podSecurityContext.enabled Enabled Keycloak pods' Security Context
-## @param podSecurityContext.fsGroup Set Keycloak pod's Security Context fsGroup
-##
-podSecurityContext:
- enabled: true
- fsGroup: 1001
-## Keycloak containers' Security Context
-## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
-## @param containerSecurityContext.enabled Enabled Keycloak containers' Security Context
-## @param containerSecurityContext.runAsUser Set Keycloak container's Security Context runAsUser
-## @param containerSecurityContext.runAsNonRoot Set Keycloak container's Security Context runAsNonRoot
-##
-containerSecurityContext:
- enabled: true
- runAsUser: 1001
- runAsNonRoot: true
-## Keycloak resource requests and limits
-## ref: https://kubernetes.io/docs/user-guide/compute-resources/
-## @param resources.limits The resources limits for the Keycloak containers
-## @param resources.requests The requested resources for the Keycloak containers
-##
-resources:
- limits: { }
- requests: { }
-## Configure extra options for Keycloak containers' liveness, readiness and startup probes
-## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
-## @param livenessProbe.enabled Enable livenessProbe on Keycloak containers
-## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
-## @param livenessProbe.periodSeconds Period seconds for livenessProbe
-## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
-## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
-## @param livenessProbe.successThreshold Success threshold for livenessProbe
-##
-livenessProbe:
- enabled: true
- initialDelaySeconds: 300
- periodSeconds: 1
- timeoutSeconds: 5
- failureThreshold: 3
- successThreshold: 1
-## @param readinessProbe.enabled Enable readinessProbe on Keycloak containers
-## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
-## @param readinessProbe.periodSeconds Period seconds for readinessProbe
-## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
-## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
-## @param readinessProbe.successThreshold Success threshold for readinessProbe
-##
-readinessProbe:
- enabled: true
- initialDelaySeconds: 30
- periodSeconds: 10
- timeoutSeconds: 1
- failureThreshold: 3
- successThreshold: 1
-## When enabling this, make sure to set initialDelaySeconds to 0 for livenessProbe and readinessProbe
-## @param startupProbe.enabled Enable startupProbe on Keycloak containers
-## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
-## @param startupProbe.periodSeconds Period seconds for startupProbe
-## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
-## @param startupProbe.failureThreshold Failure threshold for startupProbe
-## @param startupProbe.successThreshold Success threshold for startupProbe
-##
-startupProbe:
- enabled: false
- initialDelaySeconds: 30
- periodSeconds: 5
- timeoutSeconds: 1
- failureThreshold: 60
- successThreshold: 1
-## @param customLivenessProbe Custom Liveness probes for Keycloak
-##
-customLivenessProbe: { }
-## @param customReadinessProbe Custom Rediness probes Keycloak
-##
-customReadinessProbe: { }
-## @param customStartupProbe Custom Startup probes for Keycloak
-##
-customStartupProbe: { }
-## @param lifecycleHooks LifecycleHooks to set additional configuration at startup
-##
-lifecycleHooks: { }
-## @param hostAliases Deployment pod host aliases
-## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
-##
-hostAliases: [ ]
-## @param podLabels Extra labels for Keycloak pods
-## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
-##
-podLabels: { }
-## @param podAnnotations Annotations for Keycloak pods
-## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
-##
-podAnnotations: { }
-## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
-## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
-##
-podAffinityPreset: ""
-## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
-## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
-##
-podAntiAffinityPreset: soft
-## Node affinity preset
-## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
-##
-nodeAffinityPreset:
- ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
- ##
- type: ""
- ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set.
- ## E.g.
- ## key: "kubernetes.io/e2e-az-name"
- ##
- key: ""
- ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
- ## E.g.
- ## values:
- ## - e2e-az1
- ## - e2e-az2
- ##
- values: [ ]
-## @param affinity Affinity for pod assignment
-## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-##
-affinity: { }
-## @param nodeSelector Node labels for pod assignment
-## ref: https://kubernetes.io/docs/user-guide/node-selection/
-##
-nodeSelector: { }
-## @param tolerations Tolerations for pod assignment
-## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
-##
-tolerations: [ ]
-## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
-## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
-##
-topologySpreadConstraints: [ ]
-## @param podManagementPolicy Pod management policy for the Keycloak statefulset
-##
-podManagementPolicy: Parallel
-## @param priorityClassName Keycloak pods' Priority Class Name
-## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
-##
-priorityClassName: ""
-## @param schedulerName Use an alternate scheduler, e.g. "stork".
-## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
-##
-schedulerName: ""
-## @param terminationGracePeriodSeconds Seconds Keycloak pod needs to terminate gracefully
-## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
-##
-terminationGracePeriodSeconds: ""
-## @param updateStrategy.type Keycloak statefulset strategy type
-## @param updateStrategy.rollingUpdate Keycloak statefulset rolling update configuration parameters
-## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
-##
-updateStrategy:
- type: RollingUpdate
- rollingUpdate: { }
-## @param extraVolumes Optionally specify extra list of additional volumes for Keycloak pods
-##
-extraVolumes: [ ]
-## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Keycloak container(s)
-##
-extraVolumeMounts: [ ]
-## @param initContainers Add additional init containers to the Keycloak pods
-## Example:
-## initContainers:
-## - name: your-image-name
-## image: your-image
-## imagePullPolicy: Always
-## ports:
-## - name: portname
-## containerPort: 1234
-##
-initContainers: [ ]
-## @param sidecars Add additional sidecar containers to the Keycloak pods
-## Example:
-## sidecars:
-## - name: your-image-name
-## image: your-image
-## imagePullPolicy: Always
-## ports:
-## - name: portname
-## containerPort: 1234
-##
-sidecars: [ ]
-
-## @section Exposure parameters
-##
-
-## Service configuration
-##
-service:
- ## @param service.type Kubernetes service type
- ##
- type: LoadBalancer
- ## @param service.http.enabled Enable http port on service
- ##
- http:
- enabled: true
- ## @param service.ports.http Keycloak service HTTP port
- ## @param service.ports.https Keycloak service HTTPS port
- ##
- ports:
- http: 80
- https: 443
- ## @param service.nodePorts [object] Specify the nodePort values for the LoadBalancer and NodePort service types.
- ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
- ##
- nodePorts:
- http: ""
- https: ""
- ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin
- ## Values: ClientIP or None
- ## ref: https://kubernetes.io/docs/user-guide/services/
- ##
- sessionAffinity: None
- ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
- ## sessionAffinityConfig:
- ## clientIP:
- ## timeoutSeconds: 300
- ##
- sessionAffinityConfig: { }
- ## @param service.clusterIP Keycloak service clusterIP IP
- ## e.g:
- ## clusterIP: None
- ##
- clusterIP: ""
- ## @param service.loadBalancerIP loadBalancerIP for the SuiteCRM Service (optional, cloud specific)
- ## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer
- ##
- loadBalancerIP: ""
- ## @param service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer
- ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
- ## Example:
- ## loadBalancerSourceRanges:
- ## - 10.10.10.0/24
- ##
- loadBalancerSourceRanges: [ ]
- ## @param service.externalTrafficPolicy Enable client source IP preservation
- ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
- ##
- externalTrafficPolicy: Cluster
- ## @param service.annotations Additional custom annotations for Keycloak service
- ##
- annotations: { }
- ## @param service.extraPorts Extra port to expose on Keycloak service
- ##
- extraPorts: [ ]
- # DEPRECATED service.extraHeadlessPorts will be removed in a future release, please use service.headless.extraPorts instead
- ## @param service.extraHeadlessPorts Extra ports to expose on Keycloak headless service
- ##
- extraHeadlessPorts: [ ]
- ## Headless service properties
- ##
- headless:
- ## @param service.headless.annotations Annotations for the headless service.
- ##
- annotations: { }
- ## @param service.headless.extraPorts Extra ports to expose on Keycloak headless service
- ##
- extraPorts: [ ]
-## Keycloak ingress parameters
-## ref: https://kubernetes.io/docs/user-guide/ingress/
-##
-ingress:
- ## @param ingress.enabled Enable ingress record generation for Keycloak
- ##
- enabled: false
- ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
- ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
- ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
- ##
- ingressClassName: ""
- ## @param ingress.pathType Ingress path type
- ##
- pathType: ImplementationSpecific
- ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
- ##
- apiVersion: ""
- ## @param ingress.hostname Default host for the ingress record (evaluated as template)
- ##
- hostname: keycloak.local
- ## @param ingress.path Default path for the ingress record
- ##
- path: /
- ## @param ingress.servicePort Backend service port to use
- ## Default is http. Alternative is https.
- ##
- servicePort: http
- ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
- ## Use this parameter to set the required annotations for cert-manager, see
- ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
- ## e.g:
- ## annotations:
- ## kubernetes.io/ingress.class: nginx
- ## cert-manager.io/cluster-issuer: cluster-issuer-name
- ##
- annotations: { }
- ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
- ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}`
- ## You can:
- ## - Use the `ingress.secrets` parameter to create this TLS secret
- ## - Rely on cert-manager to create it by setting the corresponding annotations
- ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
- ##
- tls: false
- ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
- ##
- selfSigned: false
- ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
- ## e.g:
- ## extraHosts:
- ## - name: keycloak.local
- ## path: /
- ##
- extraHosts: [ ]
- ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host.
- ## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
- ## extraPaths:
- ## - path: /*
- ## backend:
- ## serviceName: ssl-redirect
- ## servicePort: use-annotation
- ##
- extraPaths: [ ]
- ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
- ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
- ## extraTls:
- ## - hosts:
- ## - keycloak.local
- ## secretName: keycloak.local-tls
- ##
- extraTls: [ ]
- ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
- ## key and certificate should start with -----BEGIN CERTIFICATE----- or
- ## -----BEGIN RSA PRIVATE KEY-----
- ##
- ## name should line up with a tlsSecret set further up
- ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
- ##
- ## It is also possible to create and manage the certificates outside of this helm chart
- ## Please see README.md for more information
- ## e.g:
- ## - name: keycloak.local-tls
- ## key:
- ## certificate:
- ##
- secrets: [ ]
- ## @param ingress.extraRules Additional rules to be covered with this ingress record
- ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
- ## e.g:
- ## extraRules:
- ## - host: airflow.local
- ## http:
- ## path: /
- ## backend:
- ## service:
- ## name: airflow-svc
- ## port:
- ## name: http
- ##
- extraRules: [ ]
-
-## Network Policy configuration
-## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
-##
-networkPolicy:
- ## @param networkPolicy.enabled Enable the default NetworkPolicy policy
- ##
- enabled: false
- ## @param networkPolicy.allowExternal Don't require client label for connections
- ## The Policy model to apply. When set to false, only pods with the correct
- ## client label will have network access to the ports Keycloak is listening
- ## on. When true, Keycloak will accept connections from any source
- ## (with the correct destination port).
- ##
- allowExternal: true
- ## @param networkPolicy.additionalRules Additional NetworkPolicy rules
- ## Note that all rules are OR-ed.
- ## Example:
- ## additionalRules:
- ## - matchLabels:
- ## - role: frontend
- ## - matchExpressions:
- ## - key: role
- ## operator: In
- ## values:
- ## - frontend
- ##
- additionalRules: { }
-
-## @section RBAC parameter
-## Specifies whether a ServiceAccount should be created
-##
-serviceAccount:
- ## @param serviceAccount.create Enable the creation of a ServiceAccount for Keycloak pods
- ##
- create: true
- ## @param serviceAccount.name Name of the created ServiceAccount
- ## If not set and create is true, a name is generated using the fullname template
- ##
- name: ""
- ## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod
- ##
- automountServiceAccountToken: true
- ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
- ##
- annotations: { }
- ## @param serviceAccount.extraLabels Additional labels for the ServiceAccount
- ##
- extraLabels: { }
-## Specifies whether RBAC resources should be created
-##
-rbac:
- ## @param rbac.create Whether to create and use RBAC resources or not
- ##
- create: false
- ## @param rbac.rules Custom RBAC rules
- ## Example:
- ## rules:
- ## - apiGroups:
- ## - ""
- ## resources:
- ## - pods
- ## verbs:
- ## - get
- ## - list
- ##
- rules: [ ]
-
-## @section Other parameters
-##
-
-## Keycloak Pod Disruption Budget configuration
-## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
-##
-pdb:
- ## @param pdb.create Enable/disable a Pod Disruption Budget creation
- ##
- create: false
- ## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
- ##
- minAvailable: 1
- ## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
- ##
- maxUnavailable: ""
-## Keycloak Autoscaling configuration
-## @param autoscaling.enabled Enable autoscaling for Keycloak
-## @param autoscaling.minReplicas Minimum number of Keycloak replicas
-## @param autoscaling.maxReplicas Maximum number of Keycloak replicas
-## @param autoscaling.targetCPU Target CPU utilization percentage
-## @param autoscaling.targetMemory Target Memory utilization percentage
-##
-autoscaling:
- enabled: false
- minReplicas: 1
- maxReplicas: 11
- targetCPU: ""
- targetMemory: ""
-
-## @section Metrics parameters
-##
-
-## Metrics configuration
-##
-metrics:
- ## @param metrics.enabled Enable exposing Keycloak statistics
- ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#enabling-statistics
- ##
- enabled: false
- ## Keycloak metrics service parameters
- ##
- service:
- ## @param metrics.service.ports.http Metrics service HTTP port
- ##
- ports:
- http: 8080
- ## @param metrics.service.annotations [object] Annotations for enabling prometheus to access the metrics endpoints
- ##
- annotations:
- prometheus.io/scrape: "true"
- prometheus.io/port: "{{ .Values.metrics.service.ports.http }}"
- ## Prometheus Operator ServiceMonitor configuration
- ##
- serviceMonitor:
- ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
- ##
- enabled: false
- ## @param metrics.serviceMonitor.port Metrics service HTTP port
- ##
- port: http
- ## @param metrics.serviceMonitor.endpoints [array] The endpoint configuration of the ServiceMonitor. Path is mandatory. Interval, timeout and labellings can be overwritten.
- ##
- endpoints:
- - path: /metrics
- - path: /realms/master/metrics
- ## @param metrics.serviceMonitor.path Metrics service HTTP path. Deprecated: Use @param metrics.serviceMonitor.endpoints instead
- ##
- path: ""
- ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in
- ##
- namespace: ""
- ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
- ##
- interval: 30s
- ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
- ## e.g:
- ## scrapeTimeout: 30s
- ##
- scrapeTimeout: ""
- ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus
- ##
- labels: { }
- ## @param metrics.serviceMonitor.selector Prometheus instance selector labels
- ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration
- ##
- selector: { }
- ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
- ##
- relabelings: [ ]
- ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
- ##
- metricRelabelings: [ ]
- ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
- ##
- honorLabels: false
- ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
- ##
- jobLabel: ""
- ## Prometheus Operator alert rules configuration
- ##
- prometheusRule:
- ## @param metrics.prometheusRule.enabled Create PrometheusRule Resource for scraping metrics using PrometheusOperator
- ##
- enabled: false
- ## @param metrics.prometheusRule.namespace Namespace which Prometheus is running in
- ##
- namespace: ""
- ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus
- ##
- labels: { }
- ## @param metrics.prometheusRule.groups Groups, containing the alert rules.
- ## Example:
- ## groups:
- ## - name: Keycloak
- ## rules:
- ## - alert: KeycloakInstanceNotAvailable
- ## annotations:
- ## message: "Keycloak instance in namespace {{ `{{` }} $labels.namespace {{ `}}` }} has not been available for the last 5 minutes."
- ## expr: |
- ## absent(kube_pod_status_ready{namespace="{{ include "common.names.namespace" . }}", condition="true"} * on (pod) kube_pod_labels{pod=~"{{ include "common.names.fullname" . }}-\\d+", namespace="{{ include "common.names.namespace" . }}"}) != 0
- ## for: 5m
- ## labels:
- ## severity: critical
- groups: [ ]
## @section keycloak-config-cli parameters
@@ -823,141 +22,12 @@
## @param keycloakConfigCli.enabled Whether to enable keycloak-config-cli job
##
enabled: true
- ## Bitnami keycloak-config-cli image
- ## ref: https://hub.docker.com/r/bitnami/keycloak-config-cli/tags/
- ## @param keycloakConfigCli.image.registry keycloak-config-cli container image registry
- ## @param keycloakConfigCli.image.repository keycloak-config-cli container image repository
- ## @param keycloakConfigCli.image.tag keycloak-config-cli container image tag
- ## @param keycloakConfigCli.image.digest keycloak-config-cli container image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
- ## @param keycloakConfigCli.image.pullPolicy keycloak-config-cli container image pull policy
- ## @param keycloakConfigCli.image.pullSecrets keycloak-config-cli container image pull secrets
- ##
- image:
- registry: docker.io
- repository: bitnami/keycloak-config-cli
- tag: 5.6.1-debian-11-r5
- digest: ""
- ## Specify a imagePullPolicy
- ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
- ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
- ##
- pullPolicy: IfNotPresent
- ## Optionally specify an array of imagePullSecrets.
- ## Secrets must be manually created in the namespace.
- ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
- ## e.g:
- ## pullSecrets:
- ## - myRegistryKeySecretName
- ##
- pullSecrets: [ ]
- ## @param keycloakConfigCli.annotations [object] Annotations for keycloak-config-cli job
- ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- ##
- annotations:
- helm.sh/hook: "post-install,post-upgrade,post-rollback"
- helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
- helm.sh/hook-weight: "5"
## @param keycloakConfigCli.command Command for running the container (set to default if not set). Use array form
##
command:
- java
- -jar
- /opt/bitnami/keycloak-config-cli/keycloak-config-cli.jar
- ## @param keycloakConfigCli.args Args for running the container (set to default if not set). Use array form
- ##
- args: [ ]
- ## @param keycloakConfigCli.hostAliases Job pod host aliases
- ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
- ##
- hostAliases: [ ]
- ## Keycloak config CLI resource requests and limits
- ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
- ## @param keycloakConfigCli.resources.limits The resources limits for the keycloak-config-cli container
- ## @param keycloakConfigCli.resources.requests The requested resources for the keycloak-config-cli container
- ##
- resources:
- limits: { }
- requests: { }
- ## keycloak-config-cli containers' Security Context
- ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
- ## @param keycloakConfigCli.containerSecurityContext.enabled Enabled keycloak-config-cli containers' Security Context
- ## @param keycloakConfigCli.containerSecurityContext.runAsUser Set keycloak-config-cli container's Security Context runAsUser
- ## @param keycloakConfigCli.containerSecurityContext.runAsNonRoot Set keycloak-config-cli container's Security Context runAsNonRoot
- ##
- containerSecurityContext:
- enabled: true
- runAsUser: 1001
- runAsNonRoot: true
- ## keycloak-config-cli pods' Security Context
- ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
- ## @param keycloakConfigCli.podSecurityContext.enabled Enabled keycloak-config-cli pods' Security Context
- ## @param keycloakConfigCli.podSecurityContext.fsGroup Set keycloak-config-cli pod's Security Context fsGroup
- ##
- podSecurityContext:
- enabled: true
- fsGroup: 1001
- ## @param keycloakConfigCli.backoffLimit Number of retries before considering a Job as failed
- ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy
- ##
- backoffLimit: 1
- ## @param keycloakConfigCli.podLabels Pod extra labels
- ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
- ##
- podLabels: { }
- ## @param keycloakConfigCli.podAnnotations Annotations for job pod
- ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
- ##
- podAnnotations: { }
- ## @param keycloakConfigCli.extraEnvVars Additional environment variables to set
- ## Example:
- ## extraEnvVars:
- ## - name: FOO
- ## value: "bar"
- ##
- ## @param keycloakConfigCli.nodeSelector Node labels for pod assignment
- ## ref: https://kubernetes.io/docs/user-guide/node-selection/
- ##
- nodeSelector: { }
- ##
- ## @param keycloakConfigCli.podTolerations Tolerations for job pod assignment
- ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
- ##
- podTolerations: [ ]
- extraEnvVars: [ ]
- ## @param keycloakConfigCli.extraEnvVarsCM ConfigMap with extra environment variables
- ##
- extraEnvVarsCM: ""
- ## @param keycloakConfigCli.extraEnvVarsSecret Secret with extra environment variables
- ##
- extraEnvVarsSecret: ""
- ## @param keycloakConfigCli.extraVolumes Extra volumes to add to the job
- ##
- extraVolumes: [ ]
- ## @param keycloakConfigCli.extraVolumeMounts Extra volume mounts to add to the container
- ##
- extraVolumeMounts: [ ]
- ## @param keycloakConfigCli.initContainers Add additional init containers to the Keycloak config cli pod
- ## Example:
- ## initContainers:
- ## - name: your-image-name
- ## image: your-image
- ## imagePullPolicy: Always
- ## ports:
- ## - name: portname
- ## containerPort: 1234
- ##
- initContainers: [ ]
- ## @param keycloakConfigCli.sidecars Add additional sidecar containers to the Keycloak config cli pod
- ## Example:
- ## sidecars:
- ## - name: your-image-name
- ## image: your-image
- ## imagePullPolicy: Always
- ## ports:
- ## - name: portname
- ## containerPort: 1234
- ##
- sidecars: [ ]
## @param keycloakConfigCli.configuration keycloak-config-cli realms configuration
## NOTE: nil keys will be considered files to import locally
## Example:
@@ -1237,80 +307,4 @@
}
]
}
- ## @param keycloakConfigCli.existingConfigmap ConfigMap with keycloak-config-cli configuration. This will override `keycloakConfigCli.config`
- ## NOTE: This will override keycloakConfigCli.configuration
- ##
- existingConfigmap: ""
- ## Automatic Cleanup for Finished Jobs
- ## @param keycloakConfigCli.cleanupAfterFinished.enabled Enables Cleanup for Finished Jobs
- ## @param keycloakConfigCli.cleanupAfterFinished.seconds Sets the value of ttlSecondsAfterFinished
- ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
- ##
- cleanupAfterFinished:
- enabled: false
- seconds: 600
-## @section Database parameters
-
-## PostgreSQL chart configuration
-## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml
-## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart
-## @param postgresql.auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided
-## @param postgresql.auth.username Name for a custom user to create
-## @param postgresql.auth.password Password for the custom user to create
-## @param postgresql.auth.database Name for a custom database to create
-## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials
-## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`)
-##
-postgresql:
- enabled: true
- auth:
- postgresPassword: ""
- username: bn_keycloak
- password: ""
- database: bitnami_keycloak
- existingSecret: ""
- architecture: standalone
-## External PostgreSQL configuration
-## All of these values are only used when postgresql.enabled is set to false
-## @param externalDatabase.host Database host
-## @param externalDatabase.port Database port number
-## @param externalDatabase.user Non-root username for Keycloak
-## @param externalDatabase.password Password for the non-root username for Keycloak
-## @param externalDatabase.database Keycloak database name
-## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials
-## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials
-##
-externalDatabase:
- host: ""
- port: 5432
- user: bn_keycloak
- database: bitnami_keycloak
- password: ""
- existingSecret: ""
- existingSecretPasswordKey: ""
-
-## @section Keycloak Cache parameters
-
-## Keycloak cache configuration
-## ref: https://www.keycloak.org/server/caching
-## @param cache.enabled Switch to enable or disable the keycloak distributed cache for kubernetes.
-## NOTE: Set to false to use 'local' cache (only supported when replicaCount=1).
-## @param cache.stackName Set infinispan cache stack to use
-## @param cache.stackFile Set infinispan cache stack filename to use
-##
-cache:
- enabled: true
- stackName: kubernetes
- stackFile: ""
-
-## @section Keycloak Logging parameters
-
-## Keycloak logging configuration
-## ref: https://www.keycloak.org/server/logging
-## @param logging.output Alternates between the default log output format or json format
-## @param logging.level Allowed values as documented: FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL, OFF
-##
-logging:
- output: default
- level: INFO