blob: 8028069e56d7ecc2429ffd0887c177d3824e7a0e [file] [log] [blame]
Mohammed Naser7d1623e2024-06-17 09:12:39 -04001# Copyright Broadcom, Inc. All Rights Reserved.
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02002# SPDX-License-Identifier: APACHE-2.0
3
4## @section Global parameters
5## Global Docker image parameters
6## Please, note that this will override the image parameters, including dependencies, configured to use the global value
7## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
8##
9
10## @param global.imageRegistry Global Docker image registry
11## @param global.imagePullSecrets Global Docker registry secret names as an array
12## @param global.storageClass Global StorageClass for Persistent Volume(s)
13##
14global:
15 imageRegistry: ""
16 ## E.g.
17 ## imagePullSecrets:
18 ## - myRegistryKeySecretName
19 ##
20 imagePullSecrets: []
21 storageClass: ""
Mohammed Naser65cda132024-05-02 14:34:08 -040022 ## Compatibility adaptations for Kubernetes platforms
23 ##
24 compatibility:
25 ## Compatibility adaptations for Openshift
26 ##
27 openshift:
28 ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
29 ##
30 adaptSecurityContext: auto
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +020031## @section Common parameters
32##
33
34## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
35##
36kubeVersion: ""
37## @param nameOverride String to partially override common.names.fullname
38##
39nameOverride: ""
40## @param fullnameOverride String to fully override common.names.fullname
41##
42fullnameOverride: ""
43## @param namespaceOverride String to fully override common.names.namespace
44##
45namespaceOverride: ""
46## @param commonLabels Labels to add to all deployed objects
47##
48commonLabels: {}
49## @param enableServiceLinks If set to false, disable Kubernetes service links in the pod spec
50## Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service
51##
52enableServiceLinks: true
53## @param commonAnnotations Annotations to add to all deployed objects
54##
55commonAnnotations: {}
56## @param dnsPolicy DNS Policy for pod
57## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
58## E.g.
59## dnsPolicy: ClusterFirst
60dnsPolicy: ""
61## @param dnsConfig DNS Configuration pod
62## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
63## E.g.
64## dnsConfig:
65## options:
66## - name: ndots
67## value: "4"
68dnsConfig: {}
69## @param clusterDomain Default Kubernetes cluster domain
70##
71clusterDomain: cluster.local
72## @param extraDeploy Array of extra objects to deploy with the release
73##
74extraDeploy: []
75## Enable diagnostic mode in the statefulset
76##
77diagnosticMode:
78 ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
79 ##
80 enabled: false
81 ## @param diagnosticMode.command Command to override all containers in the the statefulset
82 ##
83 command:
84 - sleep
85 ## @param diagnosticMode.args Args to override all containers in the the statefulset
86 ##
87 args:
88 - infinity
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +020089## @section Keycloak parameters
90
91## Bitnami Keycloak image version
92## ref: https://hub.docker.com/r/bitnami/keycloak/tags/
Mohammed Naser65cda132024-05-02 14:34:08 -040093## @param image.registry [default: REGISTRY_NAME] Keycloak image registry
94## @param image.repository [default: REPOSITORY_NAME/keycloak] Keycloak image repository
95## @skip image.tag Keycloak image tag (immutable tags are recommended)
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +020096## @param image.digest Keycloak image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
97## @param image.pullPolicy Keycloak image pull policy
98## @param image.pullSecrets Specify docker-registry secret names as an array
99## @param image.debug Specify if debug logs should be enabled
100##
101image:
102 registry: docker.io
103 repository: bitnami/keycloak
Mohammed Naser7d1623e2024-06-17 09:12:39 -0400104 tag: 24.0.5-debian-12-r0
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200105 digest: ""
106 ## Specify a imagePullPolicy
107 ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
Mohammed Naser65cda132024-05-02 14:34:08 -0400108 ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200109 ##
110 pullPolicy: IfNotPresent
111 ## Optionally specify an array of imagePullSecrets.
112 ## Secrets must be manually created in the namespace.
113 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
114 ## Example:
115 ## pullSecrets:
116 ## - myRegistryKeySecretName
117 ##
118 pullSecrets: []
119 ## Set to true if you would like to see extra information on logs
120 ##
121 debug: false
122## Keycloak authentication parameters
123## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#admin-credentials
124##
125auth:
126 ## @param auth.adminUser Keycloak administrator user
127 ##
128 adminUser: user
129 ## @param auth.adminPassword Keycloak administrator password for the new user
130 ##
131 adminPassword: ""
132 ## @param auth.existingSecret Existing secret containing Keycloak admin password
133 ##
134 existingSecret: ""
135 ## @param auth.passwordSecretKey Key where the Keycloak admin password is being stored inside the existing secret.
136 ##
137 passwordSecretKey: ""
Mohammed Naser65cda132024-05-02 14:34:08 -0400138 ## @param auth.annotations Additional custom annotations for Keycloak auth secret object
139 ##
140 annotations: {}
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200141## HTTPS settings
142## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#tls-encryption
143##
144tls:
145 ## @param tls.enabled Enable TLS encryption. Required for HTTPs traffic.
146 ##
147 enabled: false
148 ## @param tls.autoGenerated Generate automatically self-signed TLS certificates. Currently only supports PEM certificates
149 ##
150 autoGenerated: false
151 ## @param tls.existingSecret Existing secret containing the TLS certificates per Keycloak replica
152 ## Create this secret following the steps below:
153 ## 1) Generate your truststore and keystore files (more info at https://www.keycloak.org/docs/latest/server_installation/#_setting_up_ssl)
154 ## 2) Rename your truststore to `keycloak.truststore.jks` or use a different name overwriting the value 'tls.truststoreFilename'.
155 ## 3) Rename your keystores to `keycloak.keystore.jks` or use a different name overwriting the value 'tls.keystoreFilename'.
156 ## 4) Run the command below where SECRET_NAME is the name of the secret you want to create:
157 ## kubectl create secret generic SECRET_NAME --from-file=./keycloak.truststore.jks --from-file=./keycloak.keystore.jks
158 ## NOTE: If usePem enabled, make sure the PEM key and cert are named 'tls.key' and 'tls.crt' respectively.
159 ##
160 existingSecret: ""
161 ## @param tls.usePem Use PEM certificates as input instead of PKS12/JKS stores
162 ## If "true", the Keycloak chart will look for the files keycloak.key and keycloak.crt inside the secret provided with 'existingSecret'.
163 ##
164 usePem: false
165 ## @param tls.truststoreFilename Truststore filename inside the existing secret
166 ##
167 truststoreFilename: "keycloak.truststore.jks"
168 ## @param tls.keystoreFilename Keystore filename inside the existing secret
169 ##
170 keystoreFilename: "keycloak.keystore.jks"
171 ## @param tls.keystorePassword Password to access the keystore when it's password-protected
172 ##
173 keystorePassword: ""
174 ## @param tls.truststorePassword Password to access the truststore when it's password-protected
175 ##
176 truststorePassword: ""
177 ## @param tls.passwordsSecret Secret containing the Keystore and Truststore passwords.
178 ##
179 passwordsSecret: ""
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200180## SPI TLS settings
181## ref: https://www.keycloak.org/server/keycloak-truststore
182##
183spi:
184 ## @param spi.existingSecret Existing secret containing the Keycloak truststore for SPI connection over HTTPS/TLS
185 ## Create this secret following the steps below:
186 ## 1) Rename your truststore to `keycloak-spi.truststore.jks` or use a different name overwriting the value 'spi.truststoreFilename'.
187 ## 2) Run the command below where SECRET_NAME is the name of the secret you want to create:
188 ## kubectl create secret generic SECRET_NAME --from-file=./keycloak-spi.truststore.jks --from-file=./keycloak.keystore.jks
189 ##
190 existingSecret: ""
191 ## @param spi.truststorePassword Password to access the truststore when it's password-protected
192 ##
193 truststorePassword: ""
194 ## @param spi.truststoreFilename Truststore filename inside the existing secret
195 ##
196 truststoreFilename: "keycloak-spi.truststore.jks"
197 ## @param spi.passwordsSecret Secret containing the SPI Truststore passwords.
198 ##
199 passwordsSecret: ""
Mohammed Naser7d1623e2024-06-17 09:12:39 -0400200 ## @param spi.hostnameVerificationPolicy Verify the hostname of the server's certificate. Allowed values: "ANY", "WILDCARD", "STRICT".
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200201 ##
202 hostnameVerificationPolicy: ""
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200203## @param production Run Keycloak in production mode. TLS configuration is required except when using proxy=edge.
204##
205production: false
206## @param proxy reverse Proxy mode edge, reencrypt, passthrough or none
207## ref: https://www.keycloak.org/server/reverseproxy
208##
209proxy: passthrough
210## @param httpRelativePath Set the path relative to '/' for serving resources. Useful if you are migrating from older version which were using '/auth/'
211## ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed
212##
213httpRelativePath: "/"
214## Keycloak Service Discovery settings
215## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#cluster-configuration
216##
217## @param configuration Keycloak Configuration. Auto-generated based on other parameters when not specified
218## Specify content for keycloak.conf
219## NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart)
220## The keycloak.conf is auto-generated based on other parameters when this parameter is not specified
221##
222## Example:
223## configuration: |-
224## foo: bar
225## baz:
226##
227configuration: ""
228## @param existingConfigmap Name of existing ConfigMap with Keycloak configuration
229## NOTE: When it's set the configuration parameter is ignored
230##
231existingConfigmap: ""
232## @param extraStartupArgs Extra default startup args
233##
234extraStartupArgs: ""
Mohammed Naser65cda132024-05-02 14:34:08 -0400235## @param enableDefaultInitContainers Deploy default init containers
236## Disable this parameter could be helpful for 3rd party images e.g native Keycloak image.
237##
238enableDefaultInitContainers: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200239## @param initdbScripts Dictionary of initdb scripts
240## Specify dictionary of scripts to be run at first boot
241## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#initializing-a-new-instance
242## Example:
243## initdbScripts:
244## my_init_script.sh: |
245## #!/bin/bash
246## echo "Do something."
247##
248initdbScripts: {}
249## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`)
250##
251initdbScriptsConfigMap: ""
252## @param command Override default container command (useful when using custom images)
253##
254command: []
255## @param args Override default container args (useful when using custom images)
256##
257args: []
258## @param extraEnvVars Extra environment variables to be set on Keycloak container
259## Example:
260## extraEnvVars:
261## - name: FOO
262## value: "bar"
263##
264extraEnvVars: []
265## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars
266##
267extraEnvVarsCM: ""
268## @param extraEnvVarsSecret Name of existing Secret containing extra env vars
269##
270extraEnvVarsSecret: ""
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200271## @section Keycloak statefulset parameters
272
273## @param replicaCount Number of Keycloak replicas to deploy
274##
275replicaCount: 1
Mohammed Naser65cda132024-05-02 14:34:08 -0400276## @param revisionHistoryLimitCount Number of controller revisions to keep
277##
278revisionHistoryLimitCount: 10
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200279## @param containerPorts.http Keycloak HTTP container port
280## @param containerPorts.https Keycloak HTTPS container port
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200281##
282containerPorts:
283 http: 8080
284 https: 8443
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200285## @param extraContainerPorts Optionally specify extra list of additional port-mappings for Keycloak container
286##
287extraContainerPorts: []
Mohammed Naser65cda132024-05-02 14:34:08 -0400288## @param statefulsetAnnotations Optionally add extra annotations on the statefulset resource
289statefulsetAnnotations: {}
290##
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200291## Keycloak pods' SecurityContext
292## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
293## @param podSecurityContext.enabled Enabled Keycloak pods' Security Context
Mohammed Naser65cda132024-05-02 14:34:08 -0400294## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
295## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
296## @param podSecurityContext.supplementalGroups Set filesystem extra groups
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200297## @param podSecurityContext.fsGroup Set Keycloak pod's Security Context fsGroup
298##
299podSecurityContext:
300 enabled: true
Mohammed Naser65cda132024-05-02 14:34:08 -0400301 fsGroupChangePolicy: Always
302 sysctls: []
303 supplementalGroups: []
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200304 fsGroup: 1001
305## Keycloak containers' Security Context
306## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
Mohammed Naser65cda132024-05-02 14:34:08 -0400307## @param containerSecurityContext.enabled Enabled containers' Security Context
308## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
309## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
310## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
311## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
312## @param containerSecurityContext.privileged Set container's Security Context privileged
313## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
314## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
315## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
316## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200317##
318containerSecurityContext:
319 enabled: true
Mohammed Naser65cda132024-05-02 14:34:08 -0400320 seLinuxOptions: {}
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200321 runAsUser: 1001
Mohammed Naser65cda132024-05-02 14:34:08 -0400322 runAsGroup: 1001
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200323 runAsNonRoot: true
Mohammed Naser65cda132024-05-02 14:34:08 -0400324 privileged: false
325 readOnlyRootFilesystem: true
326 allowPrivilegeEscalation: false
327 capabilities:
328 drop: ["ALL"]
329 seccompProfile:
330 type: "RuntimeDefault"
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200331## Keycloak resource requests and limits
Mohammed Naser65cda132024-05-02 14:34:08 -0400332## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
333## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
334## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200335##
Mohammed Naser65cda132024-05-02 14:34:08 -0400336resourcesPreset: "small"
337## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
338## Example:
339## resources:
340## requests:
341## cpu: 2
342## memory: 512Mi
343## limits:
344## cpu: 3
345## memory: 1024Mi
346##
347resources: {}
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200348## Configure extra options for Keycloak containers' liveness, readiness and startup probes
349## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
350## @param livenessProbe.enabled Enable livenessProbe on Keycloak containers
351## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
352## @param livenessProbe.periodSeconds Period seconds for livenessProbe
353## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
354## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
355## @param livenessProbe.successThreshold Success threshold for livenessProbe
356##
357livenessProbe:
358 enabled: true
359 initialDelaySeconds: 300
360 periodSeconds: 1
361 timeoutSeconds: 5
362 failureThreshold: 3
363 successThreshold: 1
364## @param readinessProbe.enabled Enable readinessProbe on Keycloak containers
365## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
366## @param readinessProbe.periodSeconds Period seconds for readinessProbe
367## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
368## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
369## @param readinessProbe.successThreshold Success threshold for readinessProbe
370##
371readinessProbe:
372 enabled: true
373 initialDelaySeconds: 30
374 periodSeconds: 10
375 timeoutSeconds: 1
376 failureThreshold: 3
377 successThreshold: 1
378## When enabling this, make sure to set initialDelaySeconds to 0 for livenessProbe and readinessProbe
379## @param startupProbe.enabled Enable startupProbe on Keycloak containers
380## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
381## @param startupProbe.periodSeconds Period seconds for startupProbe
382## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
383## @param startupProbe.failureThreshold Failure threshold for startupProbe
384## @param startupProbe.successThreshold Success threshold for startupProbe
385##
386startupProbe:
387 enabled: false
388 initialDelaySeconds: 30
389 periodSeconds: 5
390 timeoutSeconds: 1
391 failureThreshold: 60
392 successThreshold: 1
393## @param customLivenessProbe Custom Liveness probes for Keycloak
394##
395customLivenessProbe: {}
396## @param customReadinessProbe Custom Rediness probes Keycloak
397##
398customReadinessProbe: {}
399## @param customStartupProbe Custom Startup probes for Keycloak
400##
401customStartupProbe: {}
402## @param lifecycleHooks LifecycleHooks to set additional configuration at startup
403##
404lifecycleHooks: {}
Mohammed Naser65cda132024-05-02 14:34:08 -0400405## @param automountServiceAccountToken Mount Service Account token in pod
406##
407automountServiceAccountToken: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200408## @param hostAliases Deployment pod host aliases
409## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
410##
411hostAliases: []
412## @param podLabels Extra labels for Keycloak pods
413## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
414##
415podLabels: {}
416## @param podAnnotations Annotations for Keycloak pods
417## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
418##
419podAnnotations: {}
420## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
421## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
422##
423podAffinityPreset: ""
424## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
425## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
426##
427podAntiAffinityPreset: soft
428## Node affinity preset
429## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
430##
431nodeAffinityPreset:
432 ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
433 ##
434 type: ""
435 ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set.
436 ## E.g.
437 ## key: "kubernetes.io/e2e-az-name"
438 ##
439 key: ""
440 ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
441 ## E.g.
442 ## values:
443 ## - e2e-az1
444 ## - e2e-az2
445 ##
446 values: []
447## @param affinity Affinity for pod assignment
448## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
449##
450affinity: {}
451## @param nodeSelector Node labels for pod assignment
Mohammed Naser65cda132024-05-02 14:34:08 -0400452## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200453##
454nodeSelector: {}
455## @param tolerations Tolerations for pod assignment
456## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
457##
458tolerations: []
459## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
460## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
461##
462topologySpreadConstraints: []
463## @param podManagementPolicy Pod management policy for the Keycloak statefulset
464##
465podManagementPolicy: Parallel
466## @param priorityClassName Keycloak pods' Priority Class Name
467## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
468##
469priorityClassName: ""
470## @param schedulerName Use an alternate scheduler, e.g. "stork".
471## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
472##
473schedulerName: ""
474## @param terminationGracePeriodSeconds Seconds Keycloak pod needs to terminate gracefully
475## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
476##
477terminationGracePeriodSeconds: ""
478## @param updateStrategy.type Keycloak statefulset strategy type
479## @param updateStrategy.rollingUpdate Keycloak statefulset rolling update configuration parameters
480## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
481##
482updateStrategy:
483 type: RollingUpdate
484 rollingUpdate: {}
485## @param extraVolumes Optionally specify extra list of additional volumes for Keycloak pods
486##
487extraVolumes: []
488## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Keycloak container(s)
489##
490extraVolumeMounts: []
491## @param initContainers Add additional init containers to the Keycloak pods
492## Example:
493## initContainers:
494## - name: your-image-name
495## image: your-image
496## imagePullPolicy: Always
497## ports:
498## - name: portname
499## containerPort: 1234
500##
501initContainers: []
502## @param sidecars Add additional sidecar containers to the Keycloak pods
503## Example:
504## sidecars:
505## - name: your-image-name
506## image: your-image
507## imagePullPolicy: Always
508## ports:
509## - name: portname
510## containerPort: 1234
511##
512sidecars: []
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200513## @section Exposure parameters
514##
515
516## Service configuration
517##
518service:
519 ## @param service.type Kubernetes service type
520 ##
521 type: ClusterIP
522 ## @param service.http.enabled Enable http port on service
523 ##
524 http:
525 enabled: true
526 ## @param service.ports.http Keycloak service HTTP port
527 ## @param service.ports.https Keycloak service HTTPS port
528 ##
529 ports:
530 http: 80
531 https: 443
532 ## @param service.nodePorts [object] Specify the nodePort values for the LoadBalancer and NodePort service types.
533 ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
534 ##
535 nodePorts:
536 http: ""
537 https: ""
538 ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin
539 ## Values: ClientIP or None
Mohammed Naser65cda132024-05-02 14:34:08 -0400540 ## ref: https://kubernetes.io/docs/concepts/services-networking/service/
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200541 ##
542 sessionAffinity: None
543 ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
544 ## sessionAffinityConfig:
545 ## clientIP:
546 ## timeoutSeconds: 300
547 ##
548 sessionAffinityConfig: {}
549 ## @param service.clusterIP Keycloak service clusterIP IP
550 ## e.g:
551 ## clusterIP: None
552 ##
553 clusterIP: ""
554 ## @param service.loadBalancerIP loadBalancerIP for the SuiteCRM Service (optional, cloud specific)
Mohammed Naser65cda132024-05-02 14:34:08 -0400555 ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200556 ##
557 loadBalancerIP: ""
558 ## @param service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer
559 ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
560 ## Example:
561 ## loadBalancerSourceRanges:
562 ## - 10.10.10.0/24
563 ##
564 loadBalancerSourceRanges: []
565 ## @param service.externalTrafficPolicy Enable client source IP preservation
566 ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
567 ##
568 externalTrafficPolicy: Cluster
569 ## @param service.annotations Additional custom annotations for Keycloak service
570 ##
571 annotations: {}
572 ## @param service.extraPorts Extra port to expose on Keycloak service
573 ##
574 extraPorts: []
575 # DEPRECATED service.extraHeadlessPorts will be removed in a future release, please use service.headless.extraPorts instead
576 ## @param service.extraHeadlessPorts Extra ports to expose on Keycloak headless service
577 ##
578 extraHeadlessPorts: []
579 ## Headless service properties
580 ##
581 headless:
582 ## @param service.headless.annotations Annotations for the headless service.
583 ##
584 annotations: {}
585 ## @param service.headless.extraPorts Extra ports to expose on Keycloak headless service
586 ##
587 extraPorts: []
588## Keycloak ingress parameters
Mohammed Naser65cda132024-05-02 14:34:08 -0400589## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200590##
591ingress:
592 ## @param ingress.enabled Enable ingress record generation for Keycloak
593 ##
594 enabled: false
595 ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
596 ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
597 ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
598 ##
599 ingressClassName: ""
600 ## @param ingress.pathType Ingress path type
601 ##
602 pathType: ImplementationSpecific
603 ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
604 ##
605 apiVersion: ""
606 ## @param ingress.hostname Default host for the ingress record (evaluated as template)
607 ##
608 hostname: keycloak.local
609 ## @param ingress.path [string] Default path for the ingress record (evaluated as template)
610 ##
611 path: "{{ .Values.httpRelativePath }}"
612 ## @param ingress.servicePort Backend service port to use
613 ## Default is http. Alternative is https.
614 ##
615 servicePort: http
616 ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
617 ## Use this parameter to set the required annotations for cert-manager, see
618 ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
619 ## e.g:
620 ## annotations:
621 ## kubernetes.io/ingress.class: nginx
622 ## cert-manager.io/cluster-issuer: cluster-issuer-name
623 ##
624 annotations: {}
625 ## @param ingress.labels Additional labels for the Ingress resource.
626 ## e.g:
627 ## labels:
628 ## app: keycloak
629 ##
630 labels: {}
631 ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
632 ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}`
633 ## You can:
634 ## - Use the `ingress.secrets` parameter to create this TLS secret
635 ## - Rely on cert-manager to create it by setting the corresponding annotations
636 ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
637 ##
638 tls: false
639 ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
640 ##
641 selfSigned: false
642 ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
643 ## e.g:
644 ## extraHosts:
645 ## - name: keycloak.local
646 ## path: /
647 ##
648 extraHosts: []
649 ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host.
650 ## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
651 ## extraPaths:
652 ## - path: /*
653 ## backend:
654 ## serviceName: ssl-redirect
655 ## servicePort: use-annotation
656 ##
657 extraPaths: []
658 ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
659 ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
660 ## extraTls:
661 ## - hosts:
662 ## - keycloak.local
663 ## secretName: keycloak.local-tls
664 ##
665 extraTls: []
666 ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
667 ## key and certificate should start with -----BEGIN CERTIFICATE----- or
668 ## -----BEGIN RSA PRIVATE KEY-----
669 ##
670 ## name should line up with a tlsSecret set further up
671 ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
672 ##
673 ## It is also possible to create and manage the certificates outside of this helm chart
674 ## Please see README.md for more information
675 ## e.g:
676 ## - name: keycloak.local-tls
677 ## key:
678 ## certificate:
679 ##
680 secrets: []
681 ## @param ingress.extraRules Additional rules to be covered with this ingress record
682 ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
683 ## e.g:
684 ## extraRules:
685 ## - host: airflow.local
686 ## http:
687 ## path: /
688 ## backend:
689 ## service:
690 ## name: airflow-svc
691 ## port:
692 ## name: http
693 ##
694 extraRules: []
Mohammed Naser65cda132024-05-02 14:34:08 -0400695## Keycloak admin ingress parameters
696## ref: https://kubernetes.io/docs/user-guide/ingress/
697##
698adminIngress:
699 ## @param adminIngress.enabled Enable admin ingress record generation for Keycloak
700 ##
701 enabled: false
702 ## @param adminIngress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
703 ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
704 ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
705 ##
706 ingressClassName: ""
707 ## @param adminIngress.pathType Ingress path type
708 ##
709 pathType: ImplementationSpecific
710 ## @param adminIngress.apiVersion Force Ingress API version (automatically detected if not set)
711 ##
712 apiVersion: ""
713 ## @param adminIngress.hostname Default host for the admin ingress record (evaluated as template)
714 ##
715 hostname: keycloak.local
716 ## @param adminIngress.path [string] Default path for the admin ingress record (evaluated as template)
717 ##
718 path: "{{ .Values.httpRelativePath }}"
719 ## @param adminIngress.servicePort Backend service port to use
720 ## Default is http. Alternative is https.
721 ##
722 servicePort: http
723 ## @param adminIngress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
724 ## Use this parameter to set the required annotations for cert-manager, see
725 ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
726 ## e.g:
727 ## annotations:
728 ## kubernetes.io/ingress.class: nginx
729 ## cert-manager.io/cluster-issuer: cluster-issuer-name
730 ##
731 annotations: {}
732 ## @param adminIngress.labels Additional labels for the Ingress resource.
733 ## e.g:
734 ## labels:
735 ## app: keycloak
736 ##
737 labels: {}
738 ## @param adminIngress.tls Enable TLS configuration for the host defined at `adminIngress.hostname` parameter
739 ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.adminIngress.hostname .) }}`
740 ## You can:
741 ## - Use the `adminIngress.secrets` parameter to create this TLS secret
742 ## - Rely on cert-manager to create it by setting the corresponding annotations
743 ## - Rely on Helm to create self-signed certificates by setting `adminIngress.selfSigned=true`
744 ##
745 tls: false
746 ## @param adminIngress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
747 ##
748 selfSigned: false
749 ## @param adminIngress.extraHosts An array with additional hostname(s) to be covered with the admin ingress record
750 ## e.g:
751 ## extraHosts:
752 ## - name: keycloak.local
753 ## path: /
754 ##
755 extraHosts: []
756 ## @param adminIngress.extraPaths Any additional arbitrary paths that may need to be added to the admin ingress under the main host.
757 ## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
758 ## extraPaths:
759 ## - path: /*
760 ## backend:
761 ## serviceName: ssl-redirect
762 ## servicePort: use-annotation
763 ##
764 extraPaths: []
765 ## @param adminIngress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
766 ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
767 ## extraTls:
768 ## - hosts:
769 ## - keycloak.local
770 ## secretName: keycloak.local-tls
771 ##
772 extraTls: []
773 ## @param adminIngress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
774 ## key and certificate should start with -----BEGIN CERTIFICATE----- or
775 ## -----BEGIN RSA PRIVATE KEY-----
776 ##
777 ## name should line up with a tlsSecret set further up
778 ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
779 ##
780 ## It is also possible to create and manage the certificates outside of this helm chart
781 ## Please see README.md for more information
782 ## e.g:
783 ## - name: keycloak.local-tls
784 ## key:
785 ## certificate:
786 ##
787 secrets: []
788 ## @param adminIngress.extraRules Additional rules to be covered with this ingress record
789 ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
790 ## e.g:
791 ## extraRules:
792 ## - host: airflow.local
793 ## http:
794 ## path: /
795 ## backend:
796 ## service:
797 ## name: airflow-svc
798 ## port:
799 ## name: http
800 ##
801 extraRules: []
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200802## Network Policy configuration
803## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
804##
805networkPolicy:
Mohammed Naser65cda132024-05-02 14:34:08 -0400806 ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200807 ##
Mohammed Naser65cda132024-05-02 14:34:08 -0400808 enabled: true
809 ## @param networkPolicy.allowExternal Don't require server label for connections
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200810 ## The Policy model to apply. When set to false, only pods with the correct
Mohammed Naser65cda132024-05-02 14:34:08 -0400811 ## server label will have network access to the ports server is listening
812 ## on. When true, server will accept connections from any source
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200813 ## (with the correct destination port).
814 ##
815 allowExternal: true
Mohammed Naser65cda132024-05-02 14:34:08 -0400816 ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200817 ##
Mohammed Naser65cda132024-05-02 14:34:08 -0400818 allowExternalEgress: true
819 ## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
820 ##
821 kubeAPIServerPorts: [443, 6443, 8443]
Mohammed Naser7d1623e2024-06-17 09:12:39 -0400822 ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
Mohammed Naser65cda132024-05-02 14:34:08 -0400823 ## e.g:
824 ## extraIngress:
825 ## - ports:
826 ## - port: 1234
827 ## from:
828 ## - podSelector:
829 ## - matchLabels:
830 ## - role: frontend
831 ## - podSelector:
832 ## - matchExpressions:
833 ## - key: role
834 ## operator: In
835 ## values:
836 ## - frontend
837 extraIngress: []
838 ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
839 ## e.g:
840 ## extraEgress:
841 ## - ports:
842 ## - port: 1234
843 ## to:
844 ## - podSelector:
845 ## - matchLabels:
846 ## - role: frontend
847 ## - podSelector:
848 ## - matchExpressions:
849 ## - key: role
850 ## operator: In
851 ## values:
852 ## - frontend
853 ##
854 extraEgress: []
855 ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
856 ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
857 ##
858 ingressNSMatchLabels: {}
859 ingressNSPodMatchLabels: {}
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200860## @section RBAC parameter
861## Specifies whether a ServiceAccount should be created
862##
863serviceAccount:
864 ## @param serviceAccount.create Enable the creation of a ServiceAccount for Keycloak pods
865 ##
866 create: true
867 ## @param serviceAccount.name Name of the created ServiceAccount
868 ## If not set and create is true, a name is generated using the fullname template
869 ##
870 name: ""
871 ## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod
872 ##
Mohammed Naser65cda132024-05-02 14:34:08 -0400873 automountServiceAccountToken: false
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200874 ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
875 ##
876 annotations: {}
877 ## @param serviceAccount.extraLabels Additional labels for the ServiceAccount
878 ##
879 extraLabels: {}
880## Specifies whether RBAC resources should be created
881##
882rbac:
883 ## @param rbac.create Whether to create and use RBAC resources or not
884 ##
885 create: false
886 ## @param rbac.rules Custom RBAC rules
887 ## Example:
888 ## rules:
889 ## - apiGroups:
890 ## - ""
891 ## resources:
892 ## - pods
893 ## verbs:
894 ## - get
895 ## - list
896 ##
897 rules: []
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200898## @section Other parameters
899##
900
901## Keycloak Pod Disruption Budget configuration
902## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
903##
904pdb:
905 ## @param pdb.create Enable/disable a Pod Disruption Budget creation
906 ##
Mohammed Naser7d1623e2024-06-17 09:12:39 -0400907 create: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200908 ## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
909 ##
Mohammed Naser7d1623e2024-06-17 09:12:39 -0400910 minAvailable: ""
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200911 ## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
912 ##
913 maxUnavailable: ""
914## Keycloak Autoscaling configuration
Mohammed Naser7d1623e2024-06-17 09:12:39 -0400915## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200916## @param autoscaling.enabled Enable autoscaling for Keycloak
917## @param autoscaling.minReplicas Minimum number of Keycloak replicas
918## @param autoscaling.maxReplicas Maximum number of Keycloak replicas
919## @param autoscaling.targetCPU Target CPU utilization percentage
920## @param autoscaling.targetMemory Target Memory utilization percentage
921##
922autoscaling:
923 enabled: false
924 minReplicas: 1
925 maxReplicas: 11
926 targetCPU: ""
927 targetMemory: ""
Mohammed Naser7d1623e2024-06-17 09:12:39 -0400928 ## HPA Scaling Behavior
929 ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior
930 ##
931 behavior:
932 ## HPA behavior when scaling up
933 ## @param autoscaling.behavior.scaleUp.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling up
934 ## @param autoscaling.behavior.scaleUp.selectPolicy The priority of policies that the autoscaler will apply when scaling up
935 ## @param autoscaling.behavior.scaleUp.policies [array] HPA scaling policies when scaling up
936 ## e.g:
937 ## Policy to scale 20% of the pod in 60s
938 ## - type: Percent
939 ## value: 20
940 ## periodSeconds: 60
941 ##
942 scaleUp:
943 stabilizationWindowSeconds: 120
944 selectPolicy: Max
945 policies: []
946 ## HPA behavior when scaling down
947 ## @param autoscaling.behavior.scaleDown.stabilizationWindowSeconds The number of seconds for which past recommendations should be considered while scaling down
948 ## @param autoscaling.behavior.scaleDown.selectPolicy The priority of policies that the autoscaler will apply when scaling down
949 ## @param autoscaling.behavior.scaleDown.policies [array] HPA scaling policies when scaling down
950 ## e.g:
951 ## Policy to scale one pod in 300s
952 ## - type: Pods
953 ## value: 1
954 ## periodSeconds: 300
955 ##
956 scaleDown:
957 stabilizationWindowSeconds: 300
958 selectPolicy: Max
959 policies:
960 - type: Pods
961 value: 1
962 periodSeconds: 300
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200963## @section Metrics parameters
964##
965
966## Metrics configuration
967##
968metrics:
969 ## @param metrics.enabled Enable exposing Keycloak statistics
970 ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#enabling-statistics
971 ##
972 enabled: false
973 ## Keycloak metrics service parameters
974 ##
975 service:
976 ## @param metrics.service.ports.http Metrics service HTTP port
977 ##
978 ports:
979 http: 8080
980 ## @param metrics.service.annotations [object] Annotations for enabling prometheus to access the metrics endpoints
981 ##
982 annotations:
983 prometheus.io/scrape: "true"
984 prometheus.io/port: "{{ .Values.metrics.service.ports.http }}"
Mohammed Naser65cda132024-05-02 14:34:08 -0400985 ## @param metrics.service.extraPorts [array] Add additional ports to the keycloak metrics service (i.e. admin port 9000)
986 ##
987 extraPorts: []
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200988 ## Prometheus Operator ServiceMonitor configuration
989 ##
990 serviceMonitor:
991 ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
992 ##
993 enabled: false
994 ## @param metrics.serviceMonitor.port Metrics service HTTP port
995 ##
996 port: http
997 ## @param metrics.serviceMonitor.endpoints [array] The endpoint configuration of the ServiceMonitor. Path is mandatory. Interval, timeout and labellings can be overwritten.
998 ##
999 endpoints:
1000 - path: '{{ include "keycloak.httpPath" . }}metrics'
1001 - path: '{{ include "keycloak.httpPath" . }}realms/master/metrics'
1002 ## @param metrics.serviceMonitor.path Metrics service HTTP path. Deprecated: Use @param metrics.serviceMonitor.endpoints instead
1003 ##
1004 path: ""
1005 ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in
1006 ##
1007 namespace: ""
1008 ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
1009 ##
1010 interval: 30s
1011 ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
1012 ## e.g:
1013 ## scrapeTimeout: 30s
1014 ##
1015 scrapeTimeout: ""
1016 ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus
1017 ##
1018 labels: {}
1019 ## @param metrics.serviceMonitor.selector Prometheus instance selector labels
1020 ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration
1021 ##
1022 selector: {}
1023 ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
1024 ##
1025 relabelings: []
1026 ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
1027 ##
1028 metricRelabelings: []
1029 ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
1030 ##
1031 honorLabels: false
1032 ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
1033 ##
1034 jobLabel: ""
1035 ## Prometheus Operator alert rules configuration
1036 ##
1037 prometheusRule:
1038 ## @param metrics.prometheusRule.enabled Create PrometheusRule Resource for scraping metrics using PrometheusOperator
1039 ##
1040 enabled: false
1041 ## @param metrics.prometheusRule.namespace Namespace which Prometheus is running in
1042 ##
1043 namespace: ""
1044 ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus
1045 ##
1046 labels: {}
1047 ## @param metrics.prometheusRule.groups Groups, containing the alert rules.
1048 ## Example:
1049 ## groups:
1050 ## - name: Keycloak
1051 ## rules:
1052 ## - alert: KeycloakInstanceNotAvailable
1053 ## annotations:
1054 ## message: "Keycloak instance in namespace {{ `{{` }} $labels.namespace {{ `}}` }} has not been available for the last 5 minutes."
1055 ## expr: |
1056 ## absent(kube_pod_status_ready{namespace="{{ include "common.names.namespace" . }}", condition="true"} * on (pod) kube_pod_labels{pod=~"{{ include "common.names.fullname" . }}-\\d+", namespace="{{ include "common.names.namespace" . }}"}) != 0
1057 ## for: 5m
1058 ## labels:
1059 ## severity: critical
1060 groups: []
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001061## @section keycloak-config-cli parameters
1062
1063## Configuration for keycloak-config-cli
1064## ref: https://github.com/adorsys/keycloak-config-cli
1065##
1066keycloakConfigCli:
1067 ## @param keycloakConfigCli.enabled Whether to enable keycloak-config-cli job
1068 ##
1069 enabled: false
1070 ## Bitnami keycloak-config-cli image
1071 ## ref: https://hub.docker.com/r/bitnami/keycloak-config-cli/tags/
Mohammed Naser65cda132024-05-02 14:34:08 -04001072 ## @param keycloakConfigCli.image.registry [default: REGISTRY_NAME] keycloak-config-cli container image registry
1073 ## @param keycloakConfigCli.image.repository [default: REPOSITORY_NAME/keycloak-config-cli] keycloak-config-cli container image repository
1074 ## @skip keycloakConfigCli.image.tag keycloak-config-cli container image tag
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001075 ## @param keycloakConfigCli.image.digest keycloak-config-cli container image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
1076 ## @param keycloakConfigCli.image.pullPolicy keycloak-config-cli container image pull policy
1077 ## @param keycloakConfigCli.image.pullSecrets keycloak-config-cli container image pull secrets
1078 ##
1079 image:
1080 registry: docker.io
1081 repository: bitnami/keycloak-config-cli
Mohammed Naser7d1623e2024-06-17 09:12:39 -04001082 tag: 5.12.0-debian-12-r5
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001083 digest: ""
1084 ## Specify a imagePullPolicy
1085 ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
Mohammed Naser65cda132024-05-02 14:34:08 -04001086 ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001087 ##
1088 pullPolicy: IfNotPresent
1089 ## Optionally specify an array of imagePullSecrets.
1090 ## Secrets must be manually created in the namespace.
1091 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1092 ## e.g:
1093 ## pullSecrets:
1094 ## - myRegistryKeySecretName
1095 ##
1096 pullSecrets: []
1097 ## @param keycloakConfigCli.annotations [object] Annotations for keycloak-config-cli job
1098 ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1099 ##
1100 annotations:
1101 helm.sh/hook: "post-install,post-upgrade,post-rollback"
1102 helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
1103 helm.sh/hook-weight: "5"
1104 ## @param keycloakConfigCli.command Command for running the container (set to default if not set). Use array form
1105 ##
1106 command: []
1107 ## @param keycloakConfigCli.args Args for running the container (set to default if not set). Use array form
1108 ##
1109 args: []
Mohammed Naser65cda132024-05-02 14:34:08 -04001110 ## @param keycloakConfigCli.automountServiceAccountToken Mount Service Account token in pod
1111 ##
1112 automountServiceAccountToken: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001113 ## @param keycloakConfigCli.hostAliases Job pod host aliases
1114 ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1115 ##
1116 hostAliases: []
1117 ## Keycloak config CLI resource requests and limits
Mohammed Naser65cda132024-05-02 14:34:08 -04001118 ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1119 ## @param keycloakConfigCli.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if keycloakConfigCli.resources is set (keycloakConfigCli.resources is recommended for production).
1120 ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001121 ##
Mohammed Naser65cda132024-05-02 14:34:08 -04001122 resourcesPreset: "small"
1123 ## @param keycloakConfigCli.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1124 ## Example:
1125 ## resources:
1126 ## requests:
1127 ## cpu: 2
1128 ## memory: 512Mi
1129 ## limits:
1130 ## cpu: 3
1131 ## memory: 1024Mi
1132 ##
1133 resources: {}
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001134 ## keycloak-config-cli containers' Security Context
1135 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
Mohammed Naser65cda132024-05-02 14:34:08 -04001136 ## @param keycloakConfigCli.containerSecurityContext.enabled Enabled keycloak-config-cli Security Context
1137 ## @param keycloakConfigCli.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1138 ## @param keycloakConfigCli.containerSecurityContext.runAsUser Set keycloak-config-cli Security Context runAsUser
1139 ## @param keycloakConfigCli.containerSecurityContext.runAsGroup Set keycloak-config-cli Security Context runAsGroup
1140 ## @param keycloakConfigCli.containerSecurityContext.runAsNonRoot Set keycloak-config-cli Security Context runAsNonRoot
1141 ## @param keycloakConfigCli.containerSecurityContext.privileged Set keycloak-config-cli Security Context privileged
1142 ## @param keycloakConfigCli.containerSecurityContext.readOnlyRootFilesystem Set keycloak-config-cli Security Context readOnlyRootFilesystem
1143 ## @param keycloakConfigCli.containerSecurityContext.allowPrivilegeEscalation Set keycloak-config-cli Security Context allowPrivilegeEscalation
1144 ## @param keycloakConfigCli.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1145 ## @param keycloakConfigCli.containerSecurityContext.seccompProfile.type Set keycloak-config-cli Security Context seccomp profile
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001146 ##
1147 containerSecurityContext:
1148 enabled: true
Mohammed Naser65cda132024-05-02 14:34:08 -04001149 seLinuxOptions: {}
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001150 runAsUser: 1001
Mohammed Naser65cda132024-05-02 14:34:08 -04001151 runAsGroup: 1001
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001152 runAsNonRoot: true
Mohammed Naser65cda132024-05-02 14:34:08 -04001153 privileged: false
1154 readOnlyRootFilesystem: true
1155 allowPrivilegeEscalation: false
1156 capabilities:
1157 drop: ["ALL"]
1158 seccompProfile:
1159 type: "RuntimeDefault"
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001160 ## keycloak-config-cli pods' Security Context
1161 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1162 ## @param keycloakConfigCli.podSecurityContext.enabled Enabled keycloak-config-cli pods' Security Context
Mohammed Naser65cda132024-05-02 14:34:08 -04001163 ## @param keycloakConfigCli.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1164 ## @param keycloakConfigCli.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1165 ## @param keycloakConfigCli.podSecurityContext.supplementalGroups Set filesystem extra groups
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001166 ## @param keycloakConfigCli.podSecurityContext.fsGroup Set keycloak-config-cli pod's Security Context fsGroup
1167 ##
1168 podSecurityContext:
1169 enabled: true
Mohammed Naser65cda132024-05-02 14:34:08 -04001170 fsGroupChangePolicy: Always
1171 sysctls: []
1172 supplementalGroups: []
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001173 fsGroup: 1001
1174 ## @param keycloakConfigCli.backoffLimit Number of retries before considering a Job as failed
1175 ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy
1176 ##
1177 backoffLimit: 1
1178 ## @param keycloakConfigCli.podLabels Pod extra labels
1179 ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1180 ##
1181 podLabels: {}
1182 ## @param keycloakConfigCli.podAnnotations Annotations for job pod
1183 ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1184 ##
1185 podAnnotations: {}
1186 ## @param keycloakConfigCli.extraEnvVars Additional environment variables to set
1187 ## Example:
1188 ## extraEnvVars:
1189 ## - name: FOO
1190 ## value: "bar"
1191 ##
1192 ## @param keycloakConfigCli.nodeSelector Node labels for pod assignment
Mohammed Naser65cda132024-05-02 14:34:08 -04001193 ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001194 ##
1195 nodeSelector: {}
1196 ##
1197 ## @param keycloakConfigCli.podTolerations Tolerations for job pod assignment
1198 ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1199 ##
1200 podTolerations: []
1201 extraEnvVars: []
1202 ## @param keycloakConfigCli.extraEnvVarsCM ConfigMap with extra environment variables
1203 ##
1204 extraEnvVarsCM: ""
1205 ## @param keycloakConfigCli.extraEnvVarsSecret Secret with extra environment variables
1206 ##
1207 extraEnvVarsSecret: ""
1208 ## @param keycloakConfigCli.extraVolumes Extra volumes to add to the job
1209 ##
1210 extraVolumes: []
1211 ## @param keycloakConfigCli.extraVolumeMounts Extra volume mounts to add to the container
1212 ##
1213 extraVolumeMounts: []
1214 ## @param keycloakConfigCli.initContainers Add additional init containers to the Keycloak config cli pod
1215 ## Example:
1216 ## initContainers:
1217 ## - name: your-image-name
1218 ## image: your-image
1219 ## imagePullPolicy: Always
1220 ## ports:
1221 ## - name: portname
1222 ## containerPort: 1234
1223 ##
1224 initContainers: []
1225 ## @param keycloakConfigCli.sidecars Add additional sidecar containers to the Keycloak config cli pod
1226 ## Example:
1227 ## sidecars:
1228 ## - name: your-image-name
1229 ## image: your-image
1230 ## imagePullPolicy: Always
1231 ## ports:
1232 ## - name: portname
1233 ## containerPort: 1234
1234 ##
1235 sidecars: []
1236 ## @param keycloakConfigCli.configuration keycloak-config-cli realms configuration
1237 ## NOTE: nil keys will be considered files to import locally
1238 ## Example:
1239 ## configuration:
1240 ## realm1.json: |
1241 ## {
1242 ## "realm": "realm1",
1243 ## "clients": []
1244 ## }
1245 ## realm2.yaml: |
1246 ## realm: realm2
1247 ## clients: []
1248 ##
1249 configuration: {}
Mohammed Naser65cda132024-05-02 14:34:08 -04001250 ## @param keycloakConfigCli.existingConfigmap ConfigMap with keycloak-config-cli configuration
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001251 ## NOTE: This will override keycloakConfigCli.configuration
1252 ##
1253 existingConfigmap: ""
1254 ## Automatic Cleanup for Finished Jobs
1255 ## @param keycloakConfigCli.cleanupAfterFinished.enabled Enables Cleanup for Finished Jobs
1256 ## @param keycloakConfigCli.cleanupAfterFinished.seconds Sets the value of ttlSecondsAfterFinished
1257 ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
1258 ##
1259 cleanupAfterFinished:
1260 enabled: false
1261 seconds: 600
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001262## @section Database parameters
1263
1264## PostgreSQL chart configuration
1265## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml
1266## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart
1267## @param postgresql.auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided
1268## @param postgresql.auth.username Name for a custom user to create
1269## @param postgresql.auth.password Password for the custom user to create
1270## @param postgresql.auth.database Name for a custom database to create
1271## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials
1272## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`)
1273##
1274postgresql:
1275 enabled: true
1276 auth:
1277 postgresPassword: ""
1278 username: bn_keycloak
1279 password: ""
1280 database: bitnami_keycloak
1281 existingSecret: ""
1282 architecture: standalone
1283## External PostgreSQL configuration
1284## All of these values are only used when postgresql.enabled is set to false
1285## @param externalDatabase.host Database host
1286## @param externalDatabase.port Database port number
1287## @param externalDatabase.user Non-root username for Keycloak
1288## @param externalDatabase.password Password for the non-root username for Keycloak
1289## @param externalDatabase.database Keycloak database name
1290## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials
1291## @param externalDatabase.existingSecretHostKey Name of an existing secret key containing the database host name
1292## @param externalDatabase.existingSecretPortKey Name of an existing secret key containing the database port
1293## @param externalDatabase.existingSecretUserKey Name of an existing secret key containing the database user
1294## @param externalDatabase.existingSecretDatabaseKey Name of an existing secret key containing the database name
1295## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials
Mohammed Naser65cda132024-05-02 14:34:08 -04001296## @param externalDatabase.annotations Additional custom annotations for external database secret object
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001297##
1298externalDatabase:
1299 host: ""
1300 port: 5432
1301 user: bn_keycloak
1302 database: bitnami_keycloak
1303 password: ""
1304 existingSecret: ""
1305 existingSecretHostKey: ""
1306 existingSecretPortKey: ""
1307 existingSecretUserKey: ""
1308 existingSecretDatabaseKey: ""
1309 existingSecretPasswordKey: ""
Mohammed Naser65cda132024-05-02 14:34:08 -04001310 annotations: {}
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001311## @section Keycloak Cache parameters
1312
1313## Keycloak cache configuration
1314## ref: https://www.keycloak.org/server/caching
1315## @param cache.enabled Switch to enable or disable the keycloak distributed cache for kubernetes.
1316## NOTE: Set to false to use 'local' cache (only supported when replicaCount=1).
1317## @param cache.stackName Set infinispan cache stack to use
1318## @param cache.stackFile Set infinispan cache stack filename to use
1319##
1320cache:
1321 enabled: true
1322 stackName: kubernetes
1323 stackFile: ""
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001324## @section Keycloak Logging parameters
1325
1326## Keycloak logging configuration
1327## ref: https://www.keycloak.org/server/logging
1328## @param logging.output Alternates between the default log output format or json format
1329## @param logging.level Allowed values as documented: FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL, OFF
1330##
1331logging:
1332 output: default
1333 level: INFO