-
-
Notifications
You must be signed in to change notification settings - Fork 3
/
keycloak_argocd_appset.yaml
288 lines (275 loc) · 14.1 KB
/
keycloak_argocd_appset.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
---
# webapp is deployed 2nd because we need secrets and persistent volumes up 1st
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: keycloak-web-app-set
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "2"
spec:
# generator allows us to source specific values from an external k8s secret
generators:
- plugin:
configMapRef:
name: secret-var-plugin-generator
input:
parameters:
secret_vars:
- keycloak_hostname
- keycloak_default_realm
- keycloak_client
- keycloak_admin_user
- global_cluster_issuer
template:
metadata:
name: keycloak-web-app
spec:
project: keycloak
destination:
server: https://kubernetes.default.svc
namespace: keycloak
source:
repoURL: registry-1.docker.io
chart: bitnamicharts/keycloak
targetRevision: 24.3.2
helm:
values: |
## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#admin-credentials
auth:
## @param auth.adminUser Keycloak administrator user
adminUser: {{ .keycloak_admin_user }}
## @param auth.existingSecret Existing secret containing Keycloak admin password
existingSecret: "keycloak-admin-credentials"
## @param auth.passwordSecretKey Key where the Keycloak admin password is being stored inside the existing secret.
passwordSecretKey: "password"
## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#tls-encryption
# set to false so we can use ingress-nginx for TLS termination instead
tls:
enabled: false
## @param production Run Keycloak in production mode. TLS configuration is required except when using proxy=edge.
production: true
## @param proxy reverse Proxy mode edge, reencrypt, passthrough or none
## ref: https://www.keycloak.org/server/reverseproxy
# this has to be set to edge to use tls via the ingress controller
proxy: edge
## Keycloak Service Discovery settings
## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#cluster-configuration
##
## @param configuration Keycloak Configuration. Auto-generated based on other parameters when not specified
## Specify content for keycloak.conf
## NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart)
## The keycloak.conf is auto-generated based on other parameters when this parameter is not specified
##
## Example:
## configuration: |-
## foo: bar
## baz:
configuration: ""
## @param existingConfigmap Name of existing ConfigMap with Keycloak configuration
## NOTE: When it's set the configuration parameter is ignored
existingConfigmap: ""
## @param extraStartupArgs Extra default startup args
extraStartupArgs: ""
## @param initdbScripts Dictionary of initdb scripts
## Specify dictionary of scripts to be run at first boot
## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#initializing-a-new-instance
## Example:
## initdbScripts:
## my_init_script.sh: |
## #!/bin/bash
## echo "Do something."
initdbScripts: []
## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`)
initdbScriptsConfigMap: ""
## @param command Override default container command (useful when using custom images)
command: []
## @param args Override default container args (useful when using custom images)
args: []
## @param extraEnvVars Extra environment variables to be set on Keycloak container
extraEnvVars:
- name: KC_SPI_ADMIN_REALM
value: "{{ .keycloak_realm }}"
## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars
extraEnvVarsCM: ""
## @param extraEnvVarsSecret Name of existing Secret containing extra env vars
extraEnvVarsSecret: ""
## Keycloak resource requests and limits
## ref: https://kubernetes.io/docs/user-guide/compute-resources/
resources:
limits: {}
requests: {}
## Configure extra options for Keycloak containers' liveness, readiness and startup probes
livenessProbe:
enabled: true
initialDelaySeconds: 300
periodSeconds: 1
timeoutSeconds: 5
failureThreshold: 3
successThreshold: 1
readinessProbe:
enabled: true
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
successThreshold: 1
## When enabling this, make sure to set initialDelaySeconds to 0 for livenessProbe and readinessProbe
startupProbe:
enabled: false
initialDelaySeconds: 30
periodSeconds: 5
timeoutSeconds: 1
failureThreshold: 60
successThreshold: 1
## @param lifecycleHooks LifecycleHooks to set additional configuration at startup
lifecycleHooks: {}
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
podAffinityPreset: ""
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
podAntiAffinityPreset: soft
## @param podManagementPolicy Pod management policy for the Keycloak statefulset
podManagementPolicy: Parallel
## @param priorityClassName Keycloak pods' Priority Class Name
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
## @param schedulerName Use an alternate scheduler, e.g. "stork".
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
schedulerName: ""
## Service configuration
service:
## @param service.type Kubernetes service type
type: ClusterIP
## @param service.http.enabled Enable http port on service
http:
enabled: true
## @param service.ports.http Keycloak service HTTP port
## @param service.ports.https Keycloak service HTTPS port
ports:
http: 80
https: 443
## Keycloak ingress parameters
## ref: https://kubernetes.io/docs/user-guide/ingress/
ingress:
## @param ingress.enabled Enable ingress record generation for Keycloak
enabled: true
## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
ingressClassName: "nginx"
## @param ingress.hostname Default host for the ingress record (evaluated as template)
hostname: {{ .keycloak_hostname }}
## @param ingress.path [string] Default path for the ingress record (evaluated as template)
path: "{{ .Values.httpRelativePath }}"
## @param ingress.servicePort Backend service port to use
## Default is http. Alternative is https.
servicePort: http
## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
## Use this parameter to set the required annotations for cert-manager, see
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
## e.g:
## annotations:
## kubernetes.io/ingress.class: nginx
## cert-manager.io/cluster-issuer: cluster-issuer-name
annotations:
cert-manager.io/cluster-issuer: "{{ .global_cluster_issuer }}"
## @param ingress.labels Additional labels for the Ingress resource.
## e.g:
## labels:
## app: keycloak
labels: {}
## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}`
## You can:
## - Use the `ingress.secrets` parameter to create this TLS secret
## - Rely on cert-manager to create it by setting the corresponding annotations
## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
tls: true
## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
selfSigned: false
## Network Policy configuration
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
networkPolicy:
## @param networkPolicy.enabled Enable the default NetworkPolicy policy
enabled: true
## @param networkPolicy.allowExternal Don't require client label for connections
## The Policy model to apply. When set to false, only pods with the correct
## client label will have network access to the ports Keycloak is listening
## on. When true, Keycloak will accept connections from any source
## (with the correct destination port).
allowExternal: true
## @param networkPolicy.additionalRules Additional NetworkPolicy rules
## Note that all rules are OR-ed.
## Example:
## additionalRules:
## - matchLabels:
## - role: frontend
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
additionalRules: {}
## @section RBAC parameter
## Specifies whether a ServiceAccount should be created
serviceAccount:
## @param serviceAccount.create Enable the creation of a ServiceAccount for Keycloak pods
create: true
## Specifies whether RBAC resources should be created
rbac:
## @param rbac.create Whether to create and use RBAC resources or not
create: true
## Metrics configuration
metrics:
## @param metrics.enabled Enable exposing Keycloak statistics
## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#enabling-statistics
enabled: true
## Prometheus Operator ServiceMonitor configuration
serviceMonitor:
## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
enabled: true
## Prometheus Operator alert rules configuration
prometheusRule:
## @param metrics.prometheusRule.enabled Create PrometheusRule Resource for scraping metrics using PrometheusOperator
enabled: false
## Configuration for keycloak-config-cli
## ref: https://github.com/adorsys/keycloak-config-cli
keycloakConfigCli:
## @param keycloakConfigCli.enabled Whether to enable keycloak-config-cli job
enabled: false
## PostgreSQL chart configuration
## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml
postgresql:
enabled: true
architecture: standalone
auth:
username: keycloak
database: keycloak
existingSecret: keycloak-postgres-credentials
passwordSecretKey: POSTGRES_USER_PASSWORD
volumePermissions:
enabled: true
primary:
podAnnotations:
k8up.io/backupcommand: "sh -c 'PGDATABASE=\"$POSTGRES_DB\" PGUSER=\"$POSTGRES_USER\" PGPASSWORD=\"$POSTGRES_PASSWORD\" pg_dump --clean'"
k8up.io/file-extension: .sql
pgHbaConfiguration: |-
local all all trust
host all all 127.0.0.1/32 md5
host all keycloak 10.0.0.0/8 md5
initdb:
scripts:
my_init_script.sql: |
ALTER DATABASE keycloak OWNER TO keycloak;
GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO keycloak;
persistence:
enabled: true
# Use an existing Persistent Volume Claim (must be created ahead of time)
existingClaim: "keycloak-postgresql"
## Keycloak logging configuration
logging:
output: default
level: INFO