Mohammed Naser | 7d1623e | 2024-06-17 09:12:39 -0400 | [diff] [blame] | 1 | # Copyright Broadcom, Inc. All Rights Reserved. |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 2 | # SPDX-License-Identifier: APACHE-2.0 |
| 3 | |
| 4 | ## @section Global parameters |
| 5 | ## Global Docker image parameters |
| 6 | ## Please, note that this will override the image parameters, including dependencies, configured to use the global value |
| 7 | ## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass |
| 8 | ## |
| 9 | |
| 10 | ## @param global.imageRegistry Global Docker image registry |
| 11 | ## @param global.imagePullSecrets Global Docker registry secret names as an array |
| 12 | ## @param global.storageClass Global StorageClass for Persistent Volume(s) |
| 13 | ## |
| 14 | global: |
| 15 | imageRegistry: "" |
| 16 | ## E.g. |
| 17 | ## imagePullSecrets: |
| 18 | ## - myRegistryKeySecretName |
| 19 | ## |
| 20 | imagePullSecrets: [] |
| 21 | storageClass: "" |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 22 | ## Compatibility adaptations for Kubernetes platforms |
| 23 | ## |
| 24 | compatibility: |
| 25 | ## Compatibility adaptations for Openshift |
| 26 | ## |
| 27 | openshift: |
| 28 | ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) |
| 29 | ## |
| 30 | adaptSecurityContext: auto |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 31 | ## @section Common parameters |
| 32 | ## |
| 33 | |
| 34 | ## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) |
| 35 | ## |
| 36 | kubeVersion: "" |
| 37 | ## @param nameOverride String to partially override common.names.fullname |
| 38 | ## |
| 39 | nameOverride: "" |
| 40 | ## @param fullnameOverride String to fully override common.names.fullname |
| 41 | ## |
| 42 | fullnameOverride: "" |
| 43 | ## @param namespaceOverride String to fully override common.names.namespace |
| 44 | ## |
| 45 | namespaceOverride: "" |
| 46 | ## @param commonLabels Labels to add to all deployed objects |
| 47 | ## |
| 48 | commonLabels: {} |
| 49 | ## @param enableServiceLinks If set to false, disable Kubernetes service links in the pod spec |
| 50 | ## Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service |
| 51 | ## |
| 52 | enableServiceLinks: true |
| 53 | ## @param commonAnnotations Annotations to add to all deployed objects |
| 54 | ## |
| 55 | commonAnnotations: {} |
| 56 | ## @param dnsPolicy DNS Policy for pod |
| 57 | ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ |
| 58 | ## E.g. |
| 59 | ## dnsPolicy: ClusterFirst |
| 60 | dnsPolicy: "" |
| 61 | ## @param dnsConfig DNS Configuration pod |
| 62 | ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ |
| 63 | ## E.g. |
| 64 | ## dnsConfig: |
| 65 | ## options: |
| 66 | ## - name: ndots |
| 67 | ## value: "4" |
| 68 | dnsConfig: {} |
| 69 | ## @param clusterDomain Default Kubernetes cluster domain |
| 70 | ## |
| 71 | clusterDomain: cluster.local |
| 72 | ## @param extraDeploy Array of extra objects to deploy with the release |
| 73 | ## |
| 74 | extraDeploy: [] |
| 75 | ## Enable diagnostic mode in the statefulset |
| 76 | ## |
| 77 | diagnosticMode: |
| 78 | ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) |
| 79 | ## |
| 80 | enabled: false |
| 81 | ## @param diagnosticMode.command Command to override all containers in the the statefulset |
| 82 | ## |
| 83 | command: |
| 84 | - sleep |
| 85 | ## @param diagnosticMode.args Args to override all containers in the the statefulset |
| 86 | ## |
| 87 | args: |
| 88 | - infinity |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 89 | ## @section Keycloak parameters |
| 90 | |
| 91 | ## Bitnami Keycloak image version |
| 92 | ## ref: https://hub.docker.com/r/bitnami/keycloak/tags/ |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 93 | ## @param image.registry [default: REGISTRY_NAME] Keycloak image registry |
| 94 | ## @param image.repository [default: REPOSITORY_NAME/keycloak] Keycloak image repository |
| 95 | ## @skip image.tag Keycloak image tag (immutable tags are recommended) |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 96 | ## @param image.digest Keycloak image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag |
| 97 | ## @param image.pullPolicy Keycloak image pull policy |
| 98 | ## @param image.pullSecrets Specify docker-registry secret names as an array |
| 99 | ## @param image.debug Specify if debug logs should be enabled |
| 100 | ## |
| 101 | image: |
| 102 | registry: docker.io |
| 103 | repository: bitnami/keycloak |
Mohammed Naser | 7d1623e | 2024-06-17 09:12:39 -0400 | [diff] [blame] | 104 | tag: 24.0.5-debian-12-r0 |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 105 | digest: "" |
| 106 | ## Specify a imagePullPolicy |
| 107 | ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 108 | ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 109 | ## |
| 110 | pullPolicy: IfNotPresent |
| 111 | ## Optionally specify an array of imagePullSecrets. |
| 112 | ## Secrets must be manually created in the namespace. |
| 113 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
| 114 | ## Example: |
| 115 | ## pullSecrets: |
| 116 | ## - myRegistryKeySecretName |
| 117 | ## |
| 118 | pullSecrets: [] |
| 119 | ## Set to true if you would like to see extra information on logs |
| 120 | ## |
| 121 | debug: false |
| 122 | ## Keycloak authentication parameters |
| 123 | ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#admin-credentials |
| 124 | ## |
| 125 | auth: |
| 126 | ## @param auth.adminUser Keycloak administrator user |
| 127 | ## |
| 128 | adminUser: user |
| 129 | ## @param auth.adminPassword Keycloak administrator password for the new user |
| 130 | ## |
| 131 | adminPassword: "" |
| 132 | ## @param auth.existingSecret Existing secret containing Keycloak admin password |
| 133 | ## |
| 134 | existingSecret: "" |
| 135 | ## @param auth.passwordSecretKey Key where the Keycloak admin password is being stored inside the existing secret. |
| 136 | ## |
| 137 | passwordSecretKey: "" |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 138 | ## @param auth.annotations Additional custom annotations for Keycloak auth secret object |
| 139 | ## |
| 140 | annotations: {} |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 141 | ## HTTPS settings |
| 142 | ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#tls-encryption |
| 143 | ## |
| 144 | tls: |
| 145 | ## @param tls.enabled Enable TLS encryption. Required for HTTPs traffic. |
| 146 | ## |
| 147 | enabled: false |
| 148 | ## @param tls.autoGenerated Generate automatically self-signed TLS certificates. Currently only supports PEM certificates |
| 149 | ## |
| 150 | autoGenerated: false |
| 151 | ## @param tls.existingSecret Existing secret containing the TLS certificates per Keycloak replica |
| 152 | ## Create this secret following the steps below: |
| 153 | ## 1) Generate your truststore and keystore files (more info at https://www.keycloak.org/docs/latest/server_installation/#_setting_up_ssl) |
| 154 | ## 2) Rename your truststore to `keycloak.truststore.jks` or use a different name overwriting the value 'tls.truststoreFilename'. |
| 155 | ## 3) Rename your keystores to `keycloak.keystore.jks` or use a different name overwriting the value 'tls.keystoreFilename'. |
| 156 | ## 4) Run the command below where SECRET_NAME is the name of the secret you want to create: |
| 157 | ## kubectl create secret generic SECRET_NAME --from-file=./keycloak.truststore.jks --from-file=./keycloak.keystore.jks |
| 158 | ## NOTE: If usePem enabled, make sure the PEM key and cert are named 'tls.key' and 'tls.crt' respectively. |
| 159 | ## |
| 160 | existingSecret: "" |
| 161 | ## @param tls.usePem Use PEM certificates as input instead of PKS12/JKS stores |
| 162 | ## If "true", the Keycloak chart will look for the files keycloak.key and keycloak.crt inside the secret provided with 'existingSecret'. |
| 163 | ## |
| 164 | usePem: false |
| 165 | ## @param tls.truststoreFilename Truststore filename inside the existing secret |
| 166 | ## |
| 167 | truststoreFilename: "keycloak.truststore.jks" |
| 168 | ## @param tls.keystoreFilename Keystore filename inside the existing secret |
| 169 | ## |
| 170 | keystoreFilename: "keycloak.keystore.jks" |
| 171 | ## @param tls.keystorePassword Password to access the keystore when it's password-protected |
| 172 | ## |
| 173 | keystorePassword: "" |
| 174 | ## @param tls.truststorePassword Password to access the truststore when it's password-protected |
| 175 | ## |
| 176 | truststorePassword: "" |
| 177 | ## @param tls.passwordsSecret Secret containing the Keystore and Truststore passwords. |
| 178 | ## |
| 179 | passwordsSecret: "" |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 180 | ## SPI TLS settings |
| 181 | ## ref: https://www.keycloak.org/server/keycloak-truststore |
| 182 | ## |
| 183 | spi: |
| 184 | ## @param spi.existingSecret Existing secret containing the Keycloak truststore for SPI connection over HTTPS/TLS |
| 185 | ## Create this secret following the steps below: |
| 186 | ## 1) Rename your truststore to `keycloak-spi.truststore.jks` or use a different name overwriting the value 'spi.truststoreFilename'. |
| 187 | ## 2) Run the command below where SECRET_NAME is the name of the secret you want to create: |
| 188 | ## kubectl create secret generic SECRET_NAME --from-file=./keycloak-spi.truststore.jks --from-file=./keycloak.keystore.jks |
| 189 | ## |
| 190 | existingSecret: "" |
| 191 | ## @param spi.truststorePassword Password to access the truststore when it's password-protected |
| 192 | ## |
| 193 | truststorePassword: "" |
| 194 | ## @param spi.truststoreFilename Truststore filename inside the existing secret |
| 195 | ## |
| 196 | truststoreFilename: "keycloak-spi.truststore.jks" |
| 197 | ## @param spi.passwordsSecret Secret containing the SPI Truststore passwords. |
| 198 | ## |
| 199 | passwordsSecret: "" |
Mohammed Naser | 7d1623e | 2024-06-17 09:12:39 -0400 | [diff] [blame] | 200 | ## @param spi.hostnameVerificationPolicy Verify the hostname of the server's certificate. Allowed values: "ANY", "WILDCARD", "STRICT". |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 201 | ## |
| 202 | hostnameVerificationPolicy: "" |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 203 | ## @param production Run Keycloak in production mode. TLS configuration is required except when using proxy=edge. |
| 204 | ## |
| 205 | production: false |
| 206 | ## @param proxy reverse Proxy mode edge, reencrypt, passthrough or none |
| 207 | ## ref: https://www.keycloak.org/server/reverseproxy |
| 208 | ## |
| 209 | proxy: passthrough |
| 210 | ## @param httpRelativePath Set the path relative to '/' for serving resources. Useful if you are migrating from older version which were using '/auth/' |
| 211 | ## ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed |
| 212 | ## |
| 213 | httpRelativePath: "/" |
| 214 | ## Keycloak Service Discovery settings |
| 215 | ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#cluster-configuration |
| 216 | ## |
| 217 | ## @param configuration Keycloak Configuration. Auto-generated based on other parameters when not specified |
| 218 | ## Specify content for keycloak.conf |
| 219 | ## NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart) |
| 220 | ## The keycloak.conf is auto-generated based on other parameters when this parameter is not specified |
| 221 | ## |
| 222 | ## Example: |
| 223 | ## configuration: |- |
| 224 | ## foo: bar |
| 225 | ## baz: |
| 226 | ## |
| 227 | configuration: "" |
| 228 | ## @param existingConfigmap Name of existing ConfigMap with Keycloak configuration |
| 229 | ## NOTE: When it's set the configuration parameter is ignored |
| 230 | ## |
| 231 | existingConfigmap: "" |
| 232 | ## @param extraStartupArgs Extra default startup args |
| 233 | ## |
| 234 | extraStartupArgs: "" |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 235 | ## @param enableDefaultInitContainers Deploy default init containers |
| 236 | ## Disable this parameter could be helpful for 3rd party images e.g native Keycloak image. |
| 237 | ## |
| 238 | enableDefaultInitContainers: true |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 239 | ## @param initdbScripts Dictionary of initdb scripts |
| 240 | ## Specify dictionary of scripts to be run at first boot |
| 241 | ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#initializing-a-new-instance |
| 242 | ## Example: |
| 243 | ## initdbScripts: |
| 244 | ## my_init_script.sh: | |
| 245 | ## #!/bin/bash |
| 246 | ## echo "Do something." |
| 247 | ## |
| 248 | initdbScripts: {} |
| 249 | ## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`) |
| 250 | ## |
| 251 | initdbScriptsConfigMap: "" |
| 252 | ## @param command Override default container command (useful when using custom images) |
| 253 | ## |
| 254 | command: [] |
| 255 | ## @param args Override default container args (useful when using custom images) |
| 256 | ## |
| 257 | args: [] |
| 258 | ## @param extraEnvVars Extra environment variables to be set on Keycloak container |
| 259 | ## Example: |
| 260 | ## extraEnvVars: |
| 261 | ## - name: FOO |
| 262 | ## value: "bar" |
| 263 | ## |
| 264 | extraEnvVars: [] |
| 265 | ## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars |
| 266 | ## |
| 267 | extraEnvVarsCM: "" |
| 268 | ## @param extraEnvVarsSecret Name of existing Secret containing extra env vars |
| 269 | ## |
| 270 | extraEnvVarsSecret: "" |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 271 | ## @section Keycloak statefulset parameters |
| 272 | |
| 273 | ## @param replicaCount Number of Keycloak replicas to deploy |
| 274 | ## |
| 275 | replicaCount: 1 |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 276 | ## @param revisionHistoryLimitCount Number of controller revisions to keep |
| 277 | ## |
| 278 | revisionHistoryLimitCount: 10 |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 279 | ## @param containerPorts.http Keycloak HTTP container port |
| 280 | ## @param containerPorts.https Keycloak HTTPS container port |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 281 | ## |
| 282 | containerPorts: |
| 283 | http: 8080 |
| 284 | https: 8443 |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 285 | ## @param extraContainerPorts Optionally specify extra list of additional port-mappings for Keycloak container |
| 286 | ## |
| 287 | extraContainerPorts: [] |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 288 | ## @param statefulsetAnnotations Optionally add extra annotations on the statefulset resource |
| 289 | statefulsetAnnotations: {} |
| 290 | ## |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 291 | ## Keycloak pods' SecurityContext |
| 292 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod |
| 293 | ## @param podSecurityContext.enabled Enabled Keycloak pods' Security Context |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 294 | ## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy |
| 295 | ## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface |
| 296 | ## @param podSecurityContext.supplementalGroups Set filesystem extra groups |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 297 | ## @param podSecurityContext.fsGroup Set Keycloak pod's Security Context fsGroup |
| 298 | ## |
| 299 | podSecurityContext: |
| 300 | enabled: true |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 301 | fsGroupChangePolicy: Always |
| 302 | sysctls: [] |
| 303 | supplementalGroups: [] |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 304 | fsGroup: 1001 |
| 305 | ## Keycloak containers' Security Context |
| 306 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 307 | ## @param containerSecurityContext.enabled Enabled containers' Security Context |
| 308 | ## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container |
| 309 | ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser |
| 310 | ## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup |
| 311 | ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot |
| 312 | ## @param containerSecurityContext.privileged Set container's Security Context privileged |
| 313 | ## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem |
| 314 | ## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation |
| 315 | ## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped |
| 316 | ## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 317 | ## |
| 318 | containerSecurityContext: |
| 319 | enabled: true |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 320 | seLinuxOptions: {} |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 321 | runAsUser: 1001 |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 322 | runAsGroup: 1001 |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 323 | runAsNonRoot: true |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 324 | privileged: false |
| 325 | readOnlyRootFilesystem: true |
| 326 | allowPrivilegeEscalation: false |
| 327 | capabilities: |
| 328 | drop: ["ALL"] |
| 329 | seccompProfile: |
| 330 | type: "RuntimeDefault" |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 331 | ## Keycloak resource requests and limits |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 332 | ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ |
| 333 | ## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). |
| 334 | ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 335 | ## |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 336 | resourcesPreset: "small" |
| 337 | ## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) |
| 338 | ## Example: |
| 339 | ## resources: |
| 340 | ## requests: |
| 341 | ## cpu: 2 |
| 342 | ## memory: 512Mi |
| 343 | ## limits: |
| 344 | ## cpu: 3 |
| 345 | ## memory: 1024Mi |
| 346 | ## |
| 347 | resources: {} |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 348 | ## Configure extra options for Keycloak containers' liveness, readiness and startup probes |
| 349 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes |
| 350 | ## @param livenessProbe.enabled Enable livenessProbe on Keycloak containers |
| 351 | ## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe |
| 352 | ## @param livenessProbe.periodSeconds Period seconds for livenessProbe |
| 353 | ## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe |
| 354 | ## @param livenessProbe.failureThreshold Failure threshold for livenessProbe |
| 355 | ## @param livenessProbe.successThreshold Success threshold for livenessProbe |
| 356 | ## |
| 357 | livenessProbe: |
| 358 | enabled: true |
| 359 | initialDelaySeconds: 300 |
| 360 | periodSeconds: 1 |
| 361 | timeoutSeconds: 5 |
| 362 | failureThreshold: 3 |
| 363 | successThreshold: 1 |
| 364 | ## @param readinessProbe.enabled Enable readinessProbe on Keycloak containers |
| 365 | ## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe |
| 366 | ## @param readinessProbe.periodSeconds Period seconds for readinessProbe |
| 367 | ## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe |
| 368 | ## @param readinessProbe.failureThreshold Failure threshold for readinessProbe |
| 369 | ## @param readinessProbe.successThreshold Success threshold for readinessProbe |
| 370 | ## |
| 371 | readinessProbe: |
| 372 | enabled: true |
| 373 | initialDelaySeconds: 30 |
| 374 | periodSeconds: 10 |
| 375 | timeoutSeconds: 1 |
| 376 | failureThreshold: 3 |
| 377 | successThreshold: 1 |
| 378 | ## When enabling this, make sure to set initialDelaySeconds to 0 for livenessProbe and readinessProbe |
| 379 | ## @param startupProbe.enabled Enable startupProbe on Keycloak containers |
| 380 | ## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe |
| 381 | ## @param startupProbe.periodSeconds Period seconds for startupProbe |
| 382 | ## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe |
| 383 | ## @param startupProbe.failureThreshold Failure threshold for startupProbe |
| 384 | ## @param startupProbe.successThreshold Success threshold for startupProbe |
| 385 | ## |
| 386 | startupProbe: |
| 387 | enabled: false |
| 388 | initialDelaySeconds: 30 |
| 389 | periodSeconds: 5 |
| 390 | timeoutSeconds: 1 |
| 391 | failureThreshold: 60 |
| 392 | successThreshold: 1 |
| 393 | ## @param customLivenessProbe Custom Liveness probes for Keycloak |
| 394 | ## |
| 395 | customLivenessProbe: {} |
| 396 | ## @param customReadinessProbe Custom Rediness probes Keycloak |
| 397 | ## |
| 398 | customReadinessProbe: {} |
| 399 | ## @param customStartupProbe Custom Startup probes for Keycloak |
| 400 | ## |
| 401 | customStartupProbe: {} |
| 402 | ## @param lifecycleHooks LifecycleHooks to set additional configuration at startup |
| 403 | ## |
| 404 | lifecycleHooks: {} |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 405 | ## @param automountServiceAccountToken Mount Service Account token in pod |
| 406 | ## |
| 407 | automountServiceAccountToken: true |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 408 | ## @param hostAliases Deployment pod host aliases |
| 409 | ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ |
| 410 | ## |
| 411 | hostAliases: [] |
| 412 | ## @param podLabels Extra labels for Keycloak pods |
| 413 | ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ |
| 414 | ## |
| 415 | podLabels: {} |
| 416 | ## @param podAnnotations Annotations for Keycloak pods |
| 417 | ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
| 418 | ## |
| 419 | podAnnotations: {} |
| 420 | ## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` |
| 421 | ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity |
| 422 | ## |
| 423 | podAffinityPreset: "" |
| 424 | ## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` |
| 425 | ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity |
| 426 | ## |
| 427 | podAntiAffinityPreset: soft |
| 428 | ## Node affinity preset |
| 429 | ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity |
| 430 | ## |
| 431 | nodeAffinityPreset: |
| 432 | ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` |
| 433 | ## |
| 434 | type: "" |
| 435 | ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. |
| 436 | ## E.g. |
| 437 | ## key: "kubernetes.io/e2e-az-name" |
| 438 | ## |
| 439 | key: "" |
| 440 | ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. |
| 441 | ## E.g. |
| 442 | ## values: |
| 443 | ## - e2e-az1 |
| 444 | ## - e2e-az2 |
| 445 | ## |
| 446 | values: [] |
| 447 | ## @param affinity Affinity for pod assignment |
| 448 | ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
| 449 | ## |
| 450 | affinity: {} |
| 451 | ## @param nodeSelector Node labels for pod assignment |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 452 | ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 453 | ## |
| 454 | nodeSelector: {} |
| 455 | ## @param tolerations Tolerations for pod assignment |
| 456 | ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ |
| 457 | ## |
| 458 | tolerations: [] |
| 459 | ## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template |
| 460 | ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods |
| 461 | ## |
| 462 | topologySpreadConstraints: [] |
| 463 | ## @param podManagementPolicy Pod management policy for the Keycloak statefulset |
| 464 | ## |
| 465 | podManagementPolicy: Parallel |
| 466 | ## @param priorityClassName Keycloak pods' Priority Class Name |
| 467 | ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ |
| 468 | ## |
| 469 | priorityClassName: "" |
| 470 | ## @param schedulerName Use an alternate scheduler, e.g. "stork". |
| 471 | ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ |
| 472 | ## |
| 473 | schedulerName: "" |
| 474 | ## @param terminationGracePeriodSeconds Seconds Keycloak pod needs to terminate gracefully |
| 475 | ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods |
| 476 | ## |
| 477 | terminationGracePeriodSeconds: "" |
| 478 | ## @param updateStrategy.type Keycloak statefulset strategy type |
| 479 | ## @param updateStrategy.rollingUpdate Keycloak statefulset rolling update configuration parameters |
| 480 | ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies |
| 481 | ## |
| 482 | updateStrategy: |
| 483 | type: RollingUpdate |
| 484 | rollingUpdate: {} |
| 485 | ## @param extraVolumes Optionally specify extra list of additional volumes for Keycloak pods |
| 486 | ## |
| 487 | extraVolumes: [] |
| 488 | ## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Keycloak container(s) |
| 489 | ## |
| 490 | extraVolumeMounts: [] |
| 491 | ## @param initContainers Add additional init containers to the Keycloak pods |
| 492 | ## Example: |
| 493 | ## initContainers: |
| 494 | ## - name: your-image-name |
| 495 | ## image: your-image |
| 496 | ## imagePullPolicy: Always |
| 497 | ## ports: |
| 498 | ## - name: portname |
| 499 | ## containerPort: 1234 |
| 500 | ## |
| 501 | initContainers: [] |
| 502 | ## @param sidecars Add additional sidecar containers to the Keycloak pods |
| 503 | ## Example: |
| 504 | ## sidecars: |
| 505 | ## - name: your-image-name |
| 506 | ## image: your-image |
| 507 | ## imagePullPolicy: Always |
| 508 | ## ports: |
| 509 | ## - name: portname |
| 510 | ## containerPort: 1234 |
| 511 | ## |
| 512 | sidecars: [] |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 513 | ## @section Exposure parameters |
| 514 | ## |
| 515 | |
| 516 | ## Service configuration |
| 517 | ## |
| 518 | service: |
| 519 | ## @param service.type Kubernetes service type |
| 520 | ## |
| 521 | type: ClusterIP |
| 522 | ## @param service.http.enabled Enable http port on service |
| 523 | ## |
| 524 | http: |
| 525 | enabled: true |
| 526 | ## @param service.ports.http Keycloak service HTTP port |
| 527 | ## @param service.ports.https Keycloak service HTTPS port |
| 528 | ## |
| 529 | ports: |
| 530 | http: 80 |
| 531 | https: 443 |
| 532 | ## @param service.nodePorts [object] Specify the nodePort values for the LoadBalancer and NodePort service types. |
| 533 | ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport |
| 534 | ## |
| 535 | nodePorts: |
| 536 | http: "" |
| 537 | https: "" |
| 538 | ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin |
| 539 | ## Values: ClientIP or None |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 540 | ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 541 | ## |
| 542 | sessionAffinity: None |
| 543 | ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity |
| 544 | ## sessionAffinityConfig: |
| 545 | ## clientIP: |
| 546 | ## timeoutSeconds: 300 |
| 547 | ## |
| 548 | sessionAffinityConfig: {} |
| 549 | ## @param service.clusterIP Keycloak service clusterIP IP |
| 550 | ## e.g: |
| 551 | ## clusterIP: None |
| 552 | ## |
| 553 | clusterIP: "" |
| 554 | ## @param service.loadBalancerIP loadBalancerIP for the SuiteCRM Service (optional, cloud specific) |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 555 | ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 556 | ## |
| 557 | loadBalancerIP: "" |
| 558 | ## @param service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer |
| 559 | ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service |
| 560 | ## Example: |
| 561 | ## loadBalancerSourceRanges: |
| 562 | ## - 10.10.10.0/24 |
| 563 | ## |
| 564 | loadBalancerSourceRanges: [] |
| 565 | ## @param service.externalTrafficPolicy Enable client source IP preservation |
| 566 | ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip |
| 567 | ## |
| 568 | externalTrafficPolicy: Cluster |
| 569 | ## @param service.annotations Additional custom annotations for Keycloak service |
| 570 | ## |
| 571 | annotations: {} |
| 572 | ## @param service.extraPorts Extra port to expose on Keycloak service |
| 573 | ## |
| 574 | extraPorts: [] |
| 575 | # DEPRECATED service.extraHeadlessPorts will be removed in a future release, please use service.headless.extraPorts instead |
| 576 | ## @param service.extraHeadlessPorts Extra ports to expose on Keycloak headless service |
| 577 | ## |
| 578 | extraHeadlessPorts: [] |
| 579 | ## Headless service properties |
| 580 | ## |
| 581 | headless: |
| 582 | ## @param service.headless.annotations Annotations for the headless service. |
| 583 | ## |
| 584 | annotations: {} |
| 585 | ## @param service.headless.extraPorts Extra ports to expose on Keycloak headless service |
| 586 | ## |
| 587 | extraPorts: [] |
| 588 | ## Keycloak ingress parameters |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 589 | ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 590 | ## |
| 591 | ingress: |
| 592 | ## @param ingress.enabled Enable ingress record generation for Keycloak |
| 593 | ## |
| 594 | enabled: false |
| 595 | ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) |
| 596 | ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . |
| 597 | ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ |
| 598 | ## |
| 599 | ingressClassName: "" |
| 600 | ## @param ingress.pathType Ingress path type |
| 601 | ## |
| 602 | pathType: ImplementationSpecific |
| 603 | ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) |
| 604 | ## |
| 605 | apiVersion: "" |
| 606 | ## @param ingress.hostname Default host for the ingress record (evaluated as template) |
| 607 | ## |
| 608 | hostname: keycloak.local |
| 609 | ## @param ingress.path [string] Default path for the ingress record (evaluated as template) |
| 610 | ## |
| 611 | path: "{{ .Values.httpRelativePath }}" |
| 612 | ## @param ingress.servicePort Backend service port to use |
| 613 | ## Default is http. Alternative is https. |
| 614 | ## |
| 615 | servicePort: http |
| 616 | ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. |
| 617 | ## Use this parameter to set the required annotations for cert-manager, see |
| 618 | ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations |
| 619 | ## e.g: |
| 620 | ## annotations: |
| 621 | ## kubernetes.io/ingress.class: nginx |
| 622 | ## cert-manager.io/cluster-issuer: cluster-issuer-name |
| 623 | ## |
| 624 | annotations: {} |
| 625 | ## @param ingress.labels Additional labels for the Ingress resource. |
| 626 | ## e.g: |
| 627 | ## labels: |
| 628 | ## app: keycloak |
| 629 | ## |
| 630 | labels: {} |
| 631 | ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter |
| 632 | ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}` |
| 633 | ## You can: |
| 634 | ## - Use the `ingress.secrets` parameter to create this TLS secret |
| 635 | ## - Rely on cert-manager to create it by setting the corresponding annotations |
| 636 | ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true` |
| 637 | ## |
| 638 | tls: false |
| 639 | ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm |
| 640 | ## |
| 641 | selfSigned: false |
| 642 | ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record |
| 643 | ## e.g: |
| 644 | ## extraHosts: |
| 645 | ## - name: keycloak.local |
| 646 | ## path: / |
| 647 | ## |
| 648 | extraHosts: [] |
| 649 | ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. |
| 650 | ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. |
| 651 | ## extraPaths: |
| 652 | ## - path: /* |
| 653 | ## backend: |
| 654 | ## serviceName: ssl-redirect |
| 655 | ## servicePort: use-annotation |
| 656 | ## |
| 657 | extraPaths: [] |
| 658 | ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. |
| 659 | ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls |
| 660 | ## extraTls: |
| 661 | ## - hosts: |
| 662 | ## - keycloak.local |
| 663 | ## secretName: keycloak.local-tls |
| 664 | ## |
| 665 | extraTls: [] |
| 666 | ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets |
| 667 | ## key and certificate should start with -----BEGIN CERTIFICATE----- or |
| 668 | ## -----BEGIN RSA PRIVATE KEY----- |
| 669 | ## |
| 670 | ## name should line up with a tlsSecret set further up |
| 671 | ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set |
| 672 | ## |
| 673 | ## It is also possible to create and manage the certificates outside of this helm chart |
| 674 | ## Please see README.md for more information |
| 675 | ## e.g: |
| 676 | ## - name: keycloak.local-tls |
| 677 | ## key: |
| 678 | ## certificate: |
| 679 | ## |
| 680 | secrets: [] |
| 681 | ## @param ingress.extraRules Additional rules to be covered with this ingress record |
| 682 | ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules |
| 683 | ## e.g: |
| 684 | ## extraRules: |
| 685 | ## - host: airflow.local |
| 686 | ## http: |
| 687 | ## path: / |
| 688 | ## backend: |
| 689 | ## service: |
| 690 | ## name: airflow-svc |
| 691 | ## port: |
| 692 | ## name: http |
| 693 | ## |
| 694 | extraRules: [] |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 695 | ## Keycloak admin ingress parameters |
| 696 | ## ref: https://kubernetes.io/docs/user-guide/ingress/ |
| 697 | ## |
| 698 | adminIngress: |
| 699 | ## @param adminIngress.enabled Enable admin ingress record generation for Keycloak |
| 700 | ## |
| 701 | enabled: false |
| 702 | ## @param adminIngress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) |
| 703 | ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . |
| 704 | ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ |
| 705 | ## |
| 706 | ingressClassName: "" |
| 707 | ## @param adminIngress.pathType Ingress path type |
| 708 | ## |
| 709 | pathType: ImplementationSpecific |
| 710 | ## @param adminIngress.apiVersion Force Ingress API version (automatically detected if not set) |
| 711 | ## |
| 712 | apiVersion: "" |
| 713 | ## @param adminIngress.hostname Default host for the admin ingress record (evaluated as template) |
| 714 | ## |
| 715 | hostname: keycloak.local |
| 716 | ## @param adminIngress.path [string] Default path for the admin ingress record (evaluated as template) |
| 717 | ## |
| 718 | path: "{{ .Values.httpRelativePath }}" |
| 719 | ## @param adminIngress.servicePort Backend service port to use |
| 720 | ## Default is http. Alternative is https. |
| 721 | ## |
| 722 | servicePort: http |
| 723 | ## @param adminIngress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. |
| 724 | ## Use this parameter to set the required annotations for cert-manager, see |
| 725 | ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations |
| 726 | ## e.g: |
| 727 | ## annotations: |
| 728 | ## kubernetes.io/ingress.class: nginx |
| 729 | ## cert-manager.io/cluster-issuer: cluster-issuer-name |
| 730 | ## |
| 731 | annotations: {} |
| 732 | ## @param adminIngress.labels Additional labels for the Ingress resource. |
| 733 | ## e.g: |
| 734 | ## labels: |
| 735 | ## app: keycloak |
| 736 | ## |
| 737 | labels: {} |
| 738 | ## @param adminIngress.tls Enable TLS configuration for the host defined at `adminIngress.hostname` parameter |
| 739 | ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.adminIngress.hostname .) }}` |
| 740 | ## You can: |
| 741 | ## - Use the `adminIngress.secrets` parameter to create this TLS secret |
| 742 | ## - Rely on cert-manager to create it by setting the corresponding annotations |
| 743 | ## - Rely on Helm to create self-signed certificates by setting `adminIngress.selfSigned=true` |
| 744 | ## |
| 745 | tls: false |
| 746 | ## @param adminIngress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm |
| 747 | ## |
| 748 | selfSigned: false |
| 749 | ## @param adminIngress.extraHosts An array with additional hostname(s) to be covered with the admin ingress record |
| 750 | ## e.g: |
| 751 | ## extraHosts: |
| 752 | ## - name: keycloak.local |
| 753 | ## path: / |
| 754 | ## |
| 755 | extraHosts: [] |
| 756 | ## @param adminIngress.extraPaths Any additional arbitrary paths that may need to be added to the admin ingress under the main host. |
| 757 | ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. |
| 758 | ## extraPaths: |
| 759 | ## - path: /* |
| 760 | ## backend: |
| 761 | ## serviceName: ssl-redirect |
| 762 | ## servicePort: use-annotation |
| 763 | ## |
| 764 | extraPaths: [] |
| 765 | ## @param adminIngress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. |
| 766 | ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls |
| 767 | ## extraTls: |
| 768 | ## - hosts: |
| 769 | ## - keycloak.local |
| 770 | ## secretName: keycloak.local-tls |
| 771 | ## |
| 772 | extraTls: [] |
| 773 | ## @param adminIngress.secrets If you're providing your own certificates, please use this to add the certificates as secrets |
| 774 | ## key and certificate should start with -----BEGIN CERTIFICATE----- or |
| 775 | ## -----BEGIN RSA PRIVATE KEY----- |
| 776 | ## |
| 777 | ## name should line up with a tlsSecret set further up |
| 778 | ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set |
| 779 | ## |
| 780 | ## It is also possible to create and manage the certificates outside of this helm chart |
| 781 | ## Please see README.md for more information |
| 782 | ## e.g: |
| 783 | ## - name: keycloak.local-tls |
| 784 | ## key: |
| 785 | ## certificate: |
| 786 | ## |
| 787 | secrets: [] |
| 788 | ## @param adminIngress.extraRules Additional rules to be covered with this ingress record |
| 789 | ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules |
| 790 | ## e.g: |
| 791 | ## extraRules: |
| 792 | ## - host: airflow.local |
| 793 | ## http: |
| 794 | ## path: / |
| 795 | ## backend: |
| 796 | ## service: |
| 797 | ## name: airflow-svc |
| 798 | ## port: |
| 799 | ## name: http |
| 800 | ## |
| 801 | extraRules: [] |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 802 | ## Network Policy configuration |
| 803 | ## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ |
| 804 | ## |
| 805 | networkPolicy: |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 806 | ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 807 | ## |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 808 | enabled: true |
| 809 | ## @param networkPolicy.allowExternal Don't require server label for connections |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 810 | ## The Policy model to apply. When set to false, only pods with the correct |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 811 | ## server label will have network access to the ports server is listening |
| 812 | ## on. When true, server will accept connections from any source |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 813 | ## (with the correct destination port). |
| 814 | ## |
| 815 | allowExternal: true |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 816 | ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 817 | ## |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 818 | allowExternalEgress: true |
| 819 | ## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) |
| 820 | ## |
| 821 | kubeAPIServerPorts: [443, 6443, 8443] |
Mohammed Naser | 7d1623e | 2024-06-17 09:12:39 -0400 | [diff] [blame] | 822 | ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 823 | ## e.g: |
| 824 | ## extraIngress: |
| 825 | ## - ports: |
| 826 | ## - port: 1234 |
| 827 | ## from: |
| 828 | ## - podSelector: |
| 829 | ## - matchLabels: |
| 830 | ## - role: frontend |
| 831 | ## - podSelector: |
| 832 | ## - matchExpressions: |
| 833 | ## - key: role |
| 834 | ## operator: In |
| 835 | ## values: |
| 836 | ## - frontend |
| 837 | extraIngress: [] |
| 838 | ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy |
| 839 | ## e.g: |
| 840 | ## extraEgress: |
| 841 | ## - ports: |
| 842 | ## - port: 1234 |
| 843 | ## to: |
| 844 | ## - podSelector: |
| 845 | ## - matchLabels: |
| 846 | ## - role: frontend |
| 847 | ## - podSelector: |
| 848 | ## - matchExpressions: |
| 849 | ## - key: role |
| 850 | ## operator: In |
| 851 | ## values: |
| 852 | ## - frontend |
| 853 | ## |
| 854 | extraEgress: [] |
| 855 | ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces |
| 856 | ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces |
| 857 | ## |
| 858 | ingressNSMatchLabels: {} |
| 859 | ingressNSPodMatchLabels: {} |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 860 | ## @section RBAC parameter |
| 861 | ## Specifies whether a ServiceAccount should be created |
| 862 | ## |
| 863 | serviceAccount: |
| 864 | ## @param serviceAccount.create Enable the creation of a ServiceAccount for Keycloak pods |
| 865 | ## |
| 866 | create: true |
| 867 | ## @param serviceAccount.name Name of the created ServiceAccount |
| 868 | ## If not set and create is true, a name is generated using the fullname template |
| 869 | ## |
| 870 | name: "" |
| 871 | ## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod |
| 872 | ## |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 873 | automountServiceAccountToken: false |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 874 | ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount |
| 875 | ## |
| 876 | annotations: {} |
| 877 | ## @param serviceAccount.extraLabels Additional labels for the ServiceAccount |
| 878 | ## |
| 879 | extraLabels: {} |
| 880 | ## Specifies whether RBAC resources should be created |
| 881 | ## |
| 882 | rbac: |
| 883 | ## @param rbac.create Whether to create and use RBAC resources or not |
| 884 | ## |
| 885 | create: false |
| 886 | ## @param rbac.rules Custom RBAC rules |
| 887 | ## Example: |
| 888 | ## rules: |
| 889 | ## - apiGroups: |
| 890 | ## - "" |
| 891 | ## resources: |
| 892 | ## - pods |
| 893 | ## verbs: |
| 894 | ## - get |
| 895 | ## - list |
| 896 | ## |
| 897 | rules: [] |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 898 | ## @section Other parameters |
| 899 | ## |
| 900 | |
| 901 | ## Keycloak Pod Disruption Budget configuration |
| 902 | ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ |
| 903 | ## |
| 904 | pdb: |
| 905 | ## @param pdb.create Enable/disable a Pod Disruption Budget creation |
| 906 | ## |
Mohammed Naser | 7d1623e | 2024-06-17 09:12:39 -0400 | [diff] [blame] | 907 | create: true |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 908 | ## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled |
| 909 | ## |
Mohammed Naser | 7d1623e | 2024-06-17 09:12:39 -0400 | [diff] [blame] | 910 | minAvailable: "" |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 911 | ## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable |
| 912 | ## |
| 913 | maxUnavailable: "" |
| 914 | ## Keycloak Autoscaling configuration |
Mohammed Naser | 7d1623e | 2024-06-17 09:12:39 -0400 | [diff] [blame] | 915 | ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 916 | ## @param autoscaling.enabled Enable autoscaling for Keycloak |
| 917 | ## @param autoscaling.minReplicas Minimum number of Keycloak replicas |
| 918 | ## @param autoscaling.maxReplicas Maximum number of Keycloak replicas |
| 919 | ## @param autoscaling.targetCPU Target CPU utilization percentage |
| 920 | ## @param autoscaling.targetMemory Target Memory utilization percentage |
| 921 | ## |
| 922 | autoscaling: |
| 923 | enabled: false |
| 924 | minReplicas: 1 |
| 925 | maxReplicas: 11 |
| 926 | targetCPU: "" |
| 927 | targetMemory: "" |
Mohammed Naser | 7d1623e | 2024-06-17 09:12:39 -0400 | [diff] [blame] | 928 | ## HPA Scaling Behavior |
| 929 | ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior |
| 930 | ## |
| 931 | behavior: |
| 932 | ## HPA behavior when scaling up |
| 933 | ## @param autoscaling.behavior.scaleUp.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling up |
| 934 | ## @param autoscaling.behavior.scaleUp.selectPolicy The priority of policies that the autoscaler will apply when scaling up |
| 935 | ## @param autoscaling.behavior.scaleUp.policies [array] HPA scaling policies when scaling up |
| 936 | ## e.g: |
| 937 | ## Policy to scale 20% of the pod in 60s |
| 938 | ## - type: Percent |
| 939 | ## value: 20 |
| 940 | ## periodSeconds: 60 |
| 941 | ## |
| 942 | scaleUp: |
| 943 | stabilizationWindowSeconds: 120 |
| 944 | selectPolicy: Max |
| 945 | policies: [] |
| 946 | ## HPA behavior when scaling down |
| 947 | ## @param autoscaling.behavior.scaleDown.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling down |
| 948 | ## @param autoscaling.behavior.scaleDown.selectPolicy The priority of policies that the autoscaler will apply when scaling down |
| 949 | ## @param autoscaling.behavior.scaleDown.policies [array] HPA scaling policies when scaling down |
| 950 | ## e.g: |
| 951 | ## Policy to scale one pod in 300s |
| 952 | ## - type: Pods |
| 953 | ## value: 1 |
| 954 | ## periodSeconds: 300 |
| 955 | ## |
| 956 | scaleDown: |
| 957 | stabilizationWindowSeconds: 300 |
| 958 | selectPolicy: Max |
| 959 | policies: |
| 960 | - type: Pods |
| 961 | value: 1 |
| 962 | periodSeconds: 300 |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 963 | ## @section Metrics parameters |
| 964 | ## |
| 965 | |
| 966 | ## Metrics configuration |
| 967 | ## |
| 968 | metrics: |
| 969 | ## @param metrics.enabled Enable exposing Keycloak statistics |
| 970 | ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#enabling-statistics |
| 971 | ## |
| 972 | enabled: false |
| 973 | ## Keycloak metrics service parameters |
| 974 | ## |
| 975 | service: |
| 976 | ## @param metrics.service.ports.http Metrics service HTTP port |
| 977 | ## |
| 978 | ports: |
| 979 | http: 8080 |
| 980 | ## @param metrics.service.annotations [object] Annotations for enabling prometheus to access the metrics endpoints |
| 981 | ## |
| 982 | annotations: |
| 983 | prometheus.io/scrape: "true" |
| 984 | prometheus.io/port: "{{ .Values.metrics.service.ports.http }}" |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 985 | ## @param metrics.service.extraPorts [array] Add additional ports to the keycloak metrics service (i.e. admin port 9000) |
| 986 | ## |
| 987 | extraPorts: [] |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 988 | ## Prometheus Operator ServiceMonitor configuration |
| 989 | ## |
| 990 | serviceMonitor: |
| 991 | ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator |
| 992 | ## |
| 993 | enabled: false |
| 994 | ## @param metrics.serviceMonitor.port Metrics service HTTP port |
| 995 | ## |
| 996 | port: http |
| 997 | ## @param metrics.serviceMonitor.endpoints [array] The endpoint configuration of the ServiceMonitor. Path is mandatory. Interval, timeout and labellings can be overwritten. |
| 998 | ## |
| 999 | endpoints: |
| 1000 | - path: '{{ include "keycloak.httpPath" . }}metrics' |
| 1001 | - path: '{{ include "keycloak.httpPath" . }}realms/master/metrics' |
| 1002 | ## @param metrics.serviceMonitor.path Metrics service HTTP path. Deprecated: Use @param metrics.serviceMonitor.endpoints instead |
| 1003 | ## |
| 1004 | path: "" |
| 1005 | ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in |
| 1006 | ## |
| 1007 | namespace: "" |
| 1008 | ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped |
| 1009 | ## |
| 1010 | interval: 30s |
| 1011 | ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended |
| 1012 | ## e.g: |
| 1013 | ## scrapeTimeout: 30s |
| 1014 | ## |
| 1015 | scrapeTimeout: "" |
| 1016 | ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus |
| 1017 | ## |
| 1018 | labels: {} |
| 1019 | ## @param metrics.serviceMonitor.selector Prometheus instance selector labels |
| 1020 | ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration |
| 1021 | ## |
| 1022 | selector: {} |
| 1023 | ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping |
| 1024 | ## |
| 1025 | relabelings: [] |
| 1026 | ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion |
| 1027 | ## |
| 1028 | metricRelabelings: [] |
| 1029 | ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels |
| 1030 | ## |
| 1031 | honorLabels: false |
| 1032 | ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. |
| 1033 | ## |
| 1034 | jobLabel: "" |
| 1035 | ## Prometheus Operator alert rules configuration |
| 1036 | ## |
| 1037 | prometheusRule: |
| 1038 | ## @param metrics.prometheusRule.enabled Create PrometheusRule Resource for scraping metrics using PrometheusOperator |
| 1039 | ## |
| 1040 | enabled: false |
| 1041 | ## @param metrics.prometheusRule.namespace Namespace which Prometheus is running in |
| 1042 | ## |
| 1043 | namespace: "" |
| 1044 | ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus |
| 1045 | ## |
| 1046 | labels: {} |
| 1047 | ## @param metrics.prometheusRule.groups Groups, containing the alert rules. |
| 1048 | ## Example: |
| 1049 | ## groups: |
| 1050 | ## - name: Keycloak |
| 1051 | ## rules: |
| 1052 | ## - alert: KeycloakInstanceNotAvailable |
| 1053 | ## annotations: |
| 1054 | ## message: "Keycloak instance in namespace {{ `{{` }} $labels.namespace {{ `}}` }} has not been available for the last 5 minutes." |
| 1055 | ## expr: | |
| 1056 | ## absent(kube_pod_status_ready{namespace="{{ include "common.names.namespace" . }}", condition="true"} * on (pod) kube_pod_labels{pod=~"{{ include "common.names.fullname" . }}-\\d+", namespace="{{ include "common.names.namespace" . }}"}) != 0 |
| 1057 | ## for: 5m |
| 1058 | ## labels: |
| 1059 | ## severity: critical |
| 1060 | groups: [] |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1061 | ## @section keycloak-config-cli parameters |
| 1062 | |
| 1063 | ## Configuration for keycloak-config-cli |
| 1064 | ## ref: https://github.com/adorsys/keycloak-config-cli |
| 1065 | ## |
| 1066 | keycloakConfigCli: |
| 1067 | ## @param keycloakConfigCli.enabled Whether to enable keycloak-config-cli job |
| 1068 | ## |
| 1069 | enabled: false |
| 1070 | ## Bitnami keycloak-config-cli image |
| 1071 | ## ref: https://hub.docker.com/r/bitnami/keycloak-config-cli/tags/ |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 1072 | ## @param keycloakConfigCli.image.registry [default: REGISTRY_NAME] keycloak-config-cli container image registry |
| 1073 | ## @param keycloakConfigCli.image.repository [default: REPOSITORY_NAME/keycloak-config-cli] keycloak-config-cli container image repository |
| 1074 | ## @skip keycloakConfigCli.image.tag keycloak-config-cli container image tag |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1075 | ## @param keycloakConfigCli.image.digest keycloak-config-cli container image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag |
| 1076 | ## @param keycloakConfigCli.image.pullPolicy keycloak-config-cli container image pull policy |
| 1077 | ## @param keycloakConfigCli.image.pullSecrets keycloak-config-cli container image pull secrets |
| 1078 | ## |
| 1079 | image: |
| 1080 | registry: docker.io |
| 1081 | repository: bitnami/keycloak-config-cli |
Mohammed Naser | 7d1623e | 2024-06-17 09:12:39 -0400 | [diff] [blame] | 1082 | tag: 5.12.0-debian-12-r5 |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1083 | digest: "" |
| 1084 | ## Specify a imagePullPolicy |
| 1085 | ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 1086 | ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1087 | ## |
| 1088 | pullPolicy: IfNotPresent |
| 1089 | ## Optionally specify an array of imagePullSecrets. |
| 1090 | ## Secrets must be manually created in the namespace. |
| 1091 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
| 1092 | ## e.g: |
| 1093 | ## pullSecrets: |
| 1094 | ## - myRegistryKeySecretName |
| 1095 | ## |
| 1096 | pullSecrets: [] |
| 1097 | ## @param keycloakConfigCli.annotations [object] Annotations for keycloak-config-cli job |
| 1098 | ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
| 1099 | ## |
| 1100 | annotations: |
| 1101 | helm.sh/hook: "post-install,post-upgrade,post-rollback" |
| 1102 | helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" |
| 1103 | helm.sh/hook-weight: "5" |
| 1104 | ## @param keycloakConfigCli.command Command for running the container (set to default if not set). Use array form |
| 1105 | ## |
| 1106 | command: [] |
| 1107 | ## @param keycloakConfigCli.args Args for running the container (set to default if not set). Use array form |
| 1108 | ## |
| 1109 | args: [] |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 1110 | ## @param keycloakConfigCli.automountServiceAccountToken Mount Service Account token in pod |
| 1111 | ## |
| 1112 | automountServiceAccountToken: true |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1113 | ## @param keycloakConfigCli.hostAliases Job pod host aliases |
| 1114 | ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ |
| 1115 | ## |
| 1116 | hostAliases: [] |
| 1117 | ## Keycloak config CLI resource requests and limits |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 1118 | ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ |
| 1119 | ## @param keycloakConfigCli.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if keycloakConfigCli.resources is set (keycloakConfigCli.resources is recommended for production). |
| 1120 | ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1121 | ## |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 1122 | resourcesPreset: "small" |
| 1123 | ## @param keycloakConfigCli.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) |
| 1124 | ## Example: |
| 1125 | ## resources: |
| 1126 | ## requests: |
| 1127 | ## cpu: 2 |
| 1128 | ## memory: 512Mi |
| 1129 | ## limits: |
| 1130 | ## cpu: 3 |
| 1131 | ## memory: 1024Mi |
| 1132 | ## |
| 1133 | resources: {} |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1134 | ## keycloak-config-cli containers' Security Context |
| 1135 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 1136 | ## @param keycloakConfigCli.containerSecurityContext.enabled Enabled keycloak-config-cli Security Context |
| 1137 | ## @param keycloakConfigCli.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container |
| 1138 | ## @param keycloakConfigCli.containerSecurityContext.runAsUser Set keycloak-config-cli Security Context runAsUser |
| 1139 | ## @param keycloakConfigCli.containerSecurityContext.runAsGroup Set keycloak-config-cli Security Context runAsGroup |
| 1140 | ## @param keycloakConfigCli.containerSecurityContext.runAsNonRoot Set keycloak-config-cli Security Context runAsNonRoot |
| 1141 | ## @param keycloakConfigCli.containerSecurityContext.privileged Set keycloak-config-cli Security Context privileged |
| 1142 | ## @param keycloakConfigCli.containerSecurityContext.readOnlyRootFilesystem Set keycloak-config-cli Security Context readOnlyRootFilesystem |
| 1143 | ## @param keycloakConfigCli.containerSecurityContext.allowPrivilegeEscalation Set keycloak-config-cli Security Context allowPrivilegeEscalation |
| 1144 | ## @param keycloakConfigCli.containerSecurityContext.capabilities.drop List of capabilities to be dropped |
| 1145 | ## @param keycloakConfigCli.containerSecurityContext.seccompProfile.type Set keycloak-config-cli Security Context seccomp profile |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1146 | ## |
| 1147 | containerSecurityContext: |
| 1148 | enabled: true |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 1149 | seLinuxOptions: {} |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1150 | runAsUser: 1001 |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 1151 | runAsGroup: 1001 |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1152 | runAsNonRoot: true |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 1153 | privileged: false |
| 1154 | readOnlyRootFilesystem: true |
| 1155 | allowPrivilegeEscalation: false |
| 1156 | capabilities: |
| 1157 | drop: ["ALL"] |
| 1158 | seccompProfile: |
| 1159 | type: "RuntimeDefault" |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1160 | ## keycloak-config-cli pods' Security Context |
| 1161 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod |
| 1162 | ## @param keycloakConfigCli.podSecurityContext.enabled Enabled keycloak-config-cli pods' Security Context |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 1163 | ## @param keycloakConfigCli.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy |
| 1164 | ## @param keycloakConfigCli.podSecurityContext.sysctls Set kernel settings using the sysctl interface |
| 1165 | ## @param keycloakConfigCli.podSecurityContext.supplementalGroups Set filesystem extra groups |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1166 | ## @param keycloakConfigCli.podSecurityContext.fsGroup Set keycloak-config-cli pod's Security Context fsGroup |
| 1167 | ## |
| 1168 | podSecurityContext: |
| 1169 | enabled: true |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 1170 | fsGroupChangePolicy: Always |
| 1171 | sysctls: [] |
| 1172 | supplementalGroups: [] |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1173 | fsGroup: 1001 |
| 1174 | ## @param keycloakConfigCli.backoffLimit Number of retries before considering a Job as failed |
| 1175 | ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy |
| 1176 | ## |
| 1177 | backoffLimit: 1 |
| 1178 | ## @param keycloakConfigCli.podLabels Pod extra labels |
| 1179 | ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ |
| 1180 | ## |
| 1181 | podLabels: {} |
| 1182 | ## @param keycloakConfigCli.podAnnotations Annotations for job pod |
| 1183 | ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
| 1184 | ## |
| 1185 | podAnnotations: {} |
| 1186 | ## @param keycloakConfigCli.extraEnvVars Additional environment variables to set |
| 1187 | ## Example: |
| 1188 | ## extraEnvVars: |
| 1189 | ## - name: FOO |
| 1190 | ## value: "bar" |
| 1191 | ## |
| 1192 | ## @param keycloakConfigCli.nodeSelector Node labels for pod assignment |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 1193 | ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1194 | ## |
| 1195 | nodeSelector: {} |
| 1196 | ## |
| 1197 | ## @param keycloakConfigCli.podTolerations Tolerations for job pod assignment |
| 1198 | ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ |
| 1199 | ## |
| 1200 | podTolerations: [] |
| 1201 | extraEnvVars: [] |
| 1202 | ## @param keycloakConfigCli.extraEnvVarsCM ConfigMap with extra environment variables |
| 1203 | ## |
| 1204 | extraEnvVarsCM: "" |
| 1205 | ## @param keycloakConfigCli.extraEnvVarsSecret Secret with extra environment variables |
| 1206 | ## |
| 1207 | extraEnvVarsSecret: "" |
| 1208 | ## @param keycloakConfigCli.extraVolumes Extra volumes to add to the job |
| 1209 | ## |
| 1210 | extraVolumes: [] |
| 1211 | ## @param keycloakConfigCli.extraVolumeMounts Extra volume mounts to add to the container |
| 1212 | ## |
| 1213 | extraVolumeMounts: [] |
| 1214 | ## @param keycloakConfigCli.initContainers Add additional init containers to the Keycloak config cli pod |
| 1215 | ## Example: |
| 1216 | ## initContainers: |
| 1217 | ## - name: your-image-name |
| 1218 | ## image: your-image |
| 1219 | ## imagePullPolicy: Always |
| 1220 | ## ports: |
| 1221 | ## - name: portname |
| 1222 | ## containerPort: 1234 |
| 1223 | ## |
| 1224 | initContainers: [] |
| 1225 | ## @param keycloakConfigCli.sidecars Add additional sidecar containers to the Keycloak config cli pod |
| 1226 | ## Example: |
| 1227 | ## sidecars: |
| 1228 | ## - name: your-image-name |
| 1229 | ## image: your-image |
| 1230 | ## imagePullPolicy: Always |
| 1231 | ## ports: |
| 1232 | ## - name: portname |
| 1233 | ## containerPort: 1234 |
| 1234 | ## |
| 1235 | sidecars: [] |
| 1236 | ## @param keycloakConfigCli.configuration keycloak-config-cli realms configuration |
| 1237 | ## NOTE: nil keys will be considered files to import locally |
| 1238 | ## Example: |
| 1239 | ## configuration: |
| 1240 | ## realm1.json: | |
| 1241 | ## { |
| 1242 | ## "realm": "realm1", |
| 1243 | ## "clients": [] |
| 1244 | ## } |
| 1245 | ## realm2.yaml: | |
| 1246 | ## realm: realm2 |
| 1247 | ## clients: [] |
| 1248 | ## |
| 1249 | configuration: {} |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 1250 | ## @param keycloakConfigCli.existingConfigmap ConfigMap with keycloak-config-cli configuration |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1251 | ## NOTE: This will override keycloakConfigCli.configuration |
| 1252 | ## |
| 1253 | existingConfigmap: "" |
| 1254 | ## Automatic Cleanup for Finished Jobs |
| 1255 | ## @param keycloakConfigCli.cleanupAfterFinished.enabled Enables Cleanup for Finished Jobs |
| 1256 | ## @param keycloakConfigCli.cleanupAfterFinished.seconds Sets the value of ttlSecondsAfterFinished |
| 1257 | ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ |
| 1258 | ## |
| 1259 | cleanupAfterFinished: |
| 1260 | enabled: false |
| 1261 | seconds: 600 |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1262 | ## @section Database parameters |
| 1263 | |
| 1264 | ## PostgreSQL chart configuration |
| 1265 | ## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml |
| 1266 | ## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart |
| 1267 | ## @param postgresql.auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided |
| 1268 | ## @param postgresql.auth.username Name for a custom user to create |
| 1269 | ## @param postgresql.auth.password Password for the custom user to create |
| 1270 | ## @param postgresql.auth.database Name for a custom database to create |
| 1271 | ## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials |
| 1272 | ## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`) |
| 1273 | ## |
| 1274 | postgresql: |
| 1275 | enabled: true |
| 1276 | auth: |
| 1277 | postgresPassword: "" |
| 1278 | username: bn_keycloak |
| 1279 | password: "" |
| 1280 | database: bitnami_keycloak |
| 1281 | existingSecret: "" |
| 1282 | architecture: standalone |
| 1283 | ## External PostgreSQL configuration |
| 1284 | ## All of these values are only used when postgresql.enabled is set to false |
| 1285 | ## @param externalDatabase.host Database host |
| 1286 | ## @param externalDatabase.port Database port number |
| 1287 | ## @param externalDatabase.user Non-root username for Keycloak |
| 1288 | ## @param externalDatabase.password Password for the non-root username for Keycloak |
| 1289 | ## @param externalDatabase.database Keycloak database name |
| 1290 | ## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials |
| 1291 | ## @param externalDatabase.existingSecretHostKey Name of an existing secret key containing the database host name |
| 1292 | ## @param externalDatabase.existingSecretPortKey Name of an existing secret key containing the database port |
| 1293 | ## @param externalDatabase.existingSecretUserKey Name of an existing secret key containing the database user |
| 1294 | ## @param externalDatabase.existingSecretDatabaseKey Name of an existing secret key containing the database name |
| 1295 | ## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 1296 | ## @param externalDatabase.annotations Additional custom annotations for external database secret object |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1297 | ## |
| 1298 | externalDatabase: |
| 1299 | host: "" |
| 1300 | port: 5432 |
| 1301 | user: bn_keycloak |
| 1302 | database: bitnami_keycloak |
| 1303 | password: "" |
| 1304 | existingSecret: "" |
| 1305 | existingSecretHostKey: "" |
| 1306 | existingSecretPortKey: "" |
| 1307 | existingSecretUserKey: "" |
| 1308 | existingSecretDatabaseKey: "" |
| 1309 | existingSecretPasswordKey: "" |
Mohammed Naser | 65cda13 | 2024-05-02 14:34:08 -0400 | [diff] [blame] | 1310 | annotations: {} |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1311 | ## @section Keycloak Cache parameters |
| 1312 | |
| 1313 | ## Keycloak cache configuration |
| 1314 | ## ref: https://www.keycloak.org/server/caching |
| 1315 | ## @param cache.enabled Switch to enable or disable the keycloak distributed cache for kubernetes. |
| 1316 | ## NOTE: Set to false to use 'local' cache (only supported when replicaCount=1). |
| 1317 | ## @param cache.stackName Set infinispan cache stack to use |
| 1318 | ## @param cache.stackFile Set infinispan cache stack filename to use |
| 1319 | ## |
| 1320 | cache: |
| 1321 | enabled: true |
| 1322 | stackName: kubernetes |
| 1323 | stackFile: "" |
Oleksandr Kozachenko | b009349 | 2023-09-06 21:43:47 +0200 | [diff] [blame] | 1324 | ## @section Keycloak Logging parameters |
| 1325 | |
| 1326 | ## Keycloak logging configuration |
| 1327 | ## ref: https://www.keycloak.org/server/logging |
| 1328 | ## @param logging.output Alternates between the default log output format or json format |
| 1329 | ## @param logging.level Allowed values as documented: FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL, OFF |
| 1330 | ## |
| 1331 | logging: |
| 1332 | output: default |
| 1333 | level: INFO |