blob: a2b48e94f6c091dbbb679471ac8a8688f2e1dee2 [file] [log] [blame]
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001# Copyright VMware, Inc.
2# SPDX-License-Identifier: APACHE-2.0
3
4## @section Global parameters
5## Global Docker image parameters
6## Please, note that this will override the image parameters, including dependencies, configured to use the global value
7## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
8##
9
10## @param global.imageRegistry Global Docker image registry
11## @param global.imagePullSecrets Global Docker registry secret names as an array
12## @param global.storageClass Global StorageClass for Persistent Volume(s)
13##
14global:
15 imageRegistry: ""
16 ## E.g.
17 ## imagePullSecrets:
18 ## - myRegistryKeySecretName
19 ##
20 imagePullSecrets: []
21 storageClass: ""
Mohammed Naser65cda132024-05-02 14:34:08 -040022 ## Compatibility adaptations for Kubernetes platforms
23 ##
24 compatibility:
25 ## Compatibility adaptations for Openshift
26 ##
27 openshift:
28 ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
29 ##
30 adaptSecurityContext: auto
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +020031## @section Common parameters
32##
33
34## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
35##
36kubeVersion: ""
37## @param nameOverride String to partially override common.names.fullname
38##
39nameOverride: ""
40## @param fullnameOverride String to fully override common.names.fullname
41##
42fullnameOverride: ""
43## @param namespaceOverride String to fully override common.names.namespace
44##
45namespaceOverride: ""
46## @param commonLabels Labels to add to all deployed objects
47##
48commonLabels: {}
49## @param enableServiceLinks If set to false, disable Kubernetes service links in the pod spec
50## Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service
51##
52enableServiceLinks: true
53## @param commonAnnotations Annotations to add to all deployed objects
54##
55commonAnnotations: {}
56## @param dnsPolicy DNS Policy for pod
57## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
58## E.g.
59## dnsPolicy: ClusterFirst
60dnsPolicy: ""
61## @param dnsConfig DNS Configuration pod
62## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
63## E.g.
64## dnsConfig:
65## options:
66## - name: ndots
67## value: "4"
68dnsConfig: {}
69## @param clusterDomain Default Kubernetes cluster domain
70##
71clusterDomain: cluster.local
72## @param extraDeploy Array of extra objects to deploy with the release
73##
74extraDeploy: []
75## Enable diagnostic mode in the statefulset
76##
77diagnosticMode:
78 ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
79 ##
80 enabled: false
81 ## @param diagnosticMode.command Command to override all containers in the the statefulset
82 ##
83 command:
84 - sleep
85 ## @param diagnosticMode.args Args to override all containers in the the statefulset
86 ##
87 args:
88 - infinity
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +020089## @section Keycloak parameters
90
91## Bitnami Keycloak image version
92## ref: https://hub.docker.com/r/bitnami/keycloak/tags/
Mohammed Naser65cda132024-05-02 14:34:08 -040093## @param image.registry [default: REGISTRY_NAME] Keycloak image registry
94## @param image.repository [default: REPOSITORY_NAME/keycloak] Keycloak image repository
95## @skip image.tag Keycloak image tag (immutable tags are recommended)
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +020096## @param image.digest Keycloak image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
97## @param image.pullPolicy Keycloak image pull policy
98## @param image.pullSecrets Specify docker-registry secret names as an array
99## @param image.debug Specify if debug logs should be enabled
100##
101image:
102 registry: docker.io
103 repository: bitnami/keycloak
Mohammed Naser65cda132024-05-02 14:34:08 -0400104 tag: 23.0.7-debian-12-r4
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200105 digest: ""
106 ## Specify a imagePullPolicy
107 ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
Mohammed Naser65cda132024-05-02 14:34:08 -0400108 ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200109 ##
110 pullPolicy: IfNotPresent
111 ## Optionally specify an array of imagePullSecrets.
112 ## Secrets must be manually created in the namespace.
113 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
114 ## Example:
115 ## pullSecrets:
116 ## - myRegistryKeySecretName
117 ##
118 pullSecrets: []
119 ## Set to true if you would like to see extra information on logs
120 ##
121 debug: false
122## Keycloak authentication parameters
123## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#admin-credentials
124##
125auth:
126 ## @param auth.adminUser Keycloak administrator user
127 ##
128 adminUser: user
129 ## @param auth.adminPassword Keycloak administrator password for the new user
130 ##
131 adminPassword: ""
132 ## @param auth.existingSecret Existing secret containing Keycloak admin password
133 ##
134 existingSecret: ""
135 ## @param auth.passwordSecretKey Key where the Keycloak admin password is being stored inside the existing secret.
136 ##
137 passwordSecretKey: ""
Mohammed Naser65cda132024-05-02 14:34:08 -0400138 ## @param auth.annotations Additional custom annotations for Keycloak auth secret object
139 ##
140 annotations: {}
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200141## HTTPS settings
142## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#tls-encryption
143##
144tls:
145 ## @param tls.enabled Enable TLS encryption. Required for HTTPs traffic.
146 ##
147 enabled: false
148 ## @param tls.autoGenerated Generate automatically self-signed TLS certificates. Currently only supports PEM certificates
149 ##
150 autoGenerated: false
151 ## @param tls.existingSecret Existing secret containing the TLS certificates per Keycloak replica
152 ## Create this secret following the steps below:
153 ## 1) Generate your truststore and keystore files (more info at https://www.keycloak.org/docs/latest/server_installation/#_setting_up_ssl)
154 ## 2) Rename your truststore to `keycloak.truststore.jks` or use a different name overwriting the value 'tls.truststoreFilename'.
155 ## 3) Rename your keystores to `keycloak.keystore.jks` or use a different name overwriting the value 'tls.keystoreFilename'.
156 ## 4) Run the command below where SECRET_NAME is the name of the secret you want to create:
157 ## kubectl create secret generic SECRET_NAME --from-file=./keycloak.truststore.jks --from-file=./keycloak.keystore.jks
158 ## NOTE: If usePem enabled, make sure the PEM key and cert are named 'tls.key' and 'tls.crt' respectively.
159 ##
160 existingSecret: ""
161 ## @param tls.usePem Use PEM certificates as input instead of PKS12/JKS stores
162 ## If "true", the Keycloak chart will look for the files keycloak.key and keycloak.crt inside the secret provided with 'existingSecret'.
163 ##
164 usePem: false
165 ## @param tls.truststoreFilename Truststore filename inside the existing secret
166 ##
167 truststoreFilename: "keycloak.truststore.jks"
168 ## @param tls.keystoreFilename Keystore filename inside the existing secret
169 ##
170 keystoreFilename: "keycloak.keystore.jks"
171 ## @param tls.keystorePassword Password to access the keystore when it's password-protected
172 ##
173 keystorePassword: ""
174 ## @param tls.truststorePassword Password to access the truststore when it's password-protected
175 ##
176 truststorePassword: ""
177 ## @param tls.passwordsSecret Secret containing the Keystore and Truststore passwords.
178 ##
179 passwordsSecret: ""
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200180## SPI TLS settings
181## ref: https://www.keycloak.org/server/keycloak-truststore
182##
183spi:
184 ## @param spi.existingSecret Existing secret containing the Keycloak truststore for SPI connection over HTTPS/TLS
185 ## Create this secret following the steps below:
186 ## 1) Rename your truststore to `keycloak-spi.truststore.jks` or use a different name overwriting the value 'spi.truststoreFilename'.
187 ## 2) Run the command below where SECRET_NAME is the name of the secret you want to create:
188 ## kubectl create secret generic SECRET_NAME --from-file=./keycloak-spi.truststore.jks --from-file=./keycloak.keystore.jks
189 ##
190 existingSecret: ""
191 ## @param spi.truststorePassword Password to access the truststore when it's password-protected
192 ##
193 truststorePassword: ""
194 ## @param spi.truststoreFilename Truststore filename inside the existing secret
195 ##
196 truststoreFilename: "keycloak-spi.truststore.jks"
197 ## @param spi.passwordsSecret Secret containing the SPI Truststore passwords.
198 ##
199 passwordsSecret: ""
200 ## @param spi.hostnameVerificationPolicy Verify the hostname of the server’s certificate. Allowed values: "ANY", "WILDCARD", "STRICT".
201 ##
202 hostnameVerificationPolicy: ""
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200203## @param production Run Keycloak in production mode. TLS configuration is required except when using proxy=edge.
204##
205production: false
206## @param proxy reverse Proxy mode edge, reencrypt, passthrough or none
207## ref: https://www.keycloak.org/server/reverseproxy
208##
209proxy: passthrough
210## @param httpRelativePath Set the path relative to '/' for serving resources. Useful if you are migrating from older version which were using '/auth/'
211## ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed
212##
213httpRelativePath: "/"
214## Keycloak Service Discovery settings
215## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#cluster-configuration
216##
217## @param configuration Keycloak Configuration. Auto-generated based on other parameters when not specified
218## Specify content for keycloak.conf
219## NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart)
220## The keycloak.conf is auto-generated based on other parameters when this parameter is not specified
221##
222## Example:
223## configuration: |-
224## foo: bar
225## baz:
226##
227configuration: ""
228## @param existingConfigmap Name of existing ConfigMap with Keycloak configuration
229## NOTE: When it's set the configuration parameter is ignored
230##
231existingConfigmap: ""
232## @param extraStartupArgs Extra default startup args
233##
234extraStartupArgs: ""
Mohammed Naser65cda132024-05-02 14:34:08 -0400235## @param enableDefaultInitContainers Deploy default init containers
236## Disable this parameter could be helpful for 3rd party images e.g native Keycloak image.
237##
238enableDefaultInitContainers: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200239## @param initdbScripts Dictionary of initdb scripts
240## Specify dictionary of scripts to be run at first boot
241## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#initializing-a-new-instance
242## Example:
243## initdbScripts:
244## my_init_script.sh: |
245## #!/bin/bash
246## echo "Do something."
247##
248initdbScripts: {}
249## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`)
250##
251initdbScriptsConfigMap: ""
252## @param command Override default container command (useful when using custom images)
253##
254command: []
255## @param args Override default container args (useful when using custom images)
256##
257args: []
258## @param extraEnvVars Extra environment variables to be set on Keycloak container
259## Example:
260## extraEnvVars:
261## - name: FOO
262## value: "bar"
263##
264extraEnvVars: []
265## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars
266##
267extraEnvVarsCM: ""
268## @param extraEnvVarsSecret Name of existing Secret containing extra env vars
269##
270extraEnvVarsSecret: ""
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200271## @section Keycloak statefulset parameters
272
273## @param replicaCount Number of Keycloak replicas to deploy
274##
275replicaCount: 1
Mohammed Naser65cda132024-05-02 14:34:08 -0400276## @param revisionHistoryLimitCount Number of controller revisions to keep
277##
278revisionHistoryLimitCount: 10
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200279## @param containerPorts.http Keycloak HTTP container port
280## @param containerPorts.https Keycloak HTTPS container port
281## @param containerPorts.infinispan Keycloak infinispan container port
282##
283containerPorts:
284 http: 8080
285 https: 8443
286 infinispan: 7800
287## @param extraContainerPorts Optionally specify extra list of additional port-mappings for Keycloak container
288##
289extraContainerPorts: []
Mohammed Naser65cda132024-05-02 14:34:08 -0400290## @param statefulsetAnnotations Optionally add extra annotations on the statefulset resource
291statefulsetAnnotations: {}
292##
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200293## Keycloak pods' SecurityContext
294## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
295## @param podSecurityContext.enabled Enabled Keycloak pods' Security Context
Mohammed Naser65cda132024-05-02 14:34:08 -0400296## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
297## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
298## @param podSecurityContext.supplementalGroups Set filesystem extra groups
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200299## @param podSecurityContext.fsGroup Set Keycloak pod's Security Context fsGroup
300##
301podSecurityContext:
302 enabled: true
Mohammed Naser65cda132024-05-02 14:34:08 -0400303 fsGroupChangePolicy: Always
304 sysctls: []
305 supplementalGroups: []
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200306 fsGroup: 1001
307## Keycloak containers' Security Context
308## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
Mohammed Naser65cda132024-05-02 14:34:08 -0400309## @param containerSecurityContext.enabled Enabled containers' Security Context
310## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
311## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
312## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
313## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
314## @param containerSecurityContext.privileged Set container's Security Context privileged
315## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
316## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
317## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
318## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200319##
320containerSecurityContext:
321 enabled: true
Mohammed Naser65cda132024-05-02 14:34:08 -0400322 seLinuxOptions: {}
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200323 runAsUser: 1001
Mohammed Naser65cda132024-05-02 14:34:08 -0400324 runAsGroup: 1001
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200325 runAsNonRoot: true
Mohammed Naser65cda132024-05-02 14:34:08 -0400326 privileged: false
327 readOnlyRootFilesystem: true
328 allowPrivilegeEscalation: false
329 capabilities:
330 drop: ["ALL"]
331 seccompProfile:
332 type: "RuntimeDefault"
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200333## Keycloak resource requests and limits
Mohammed Naser65cda132024-05-02 14:34:08 -0400334## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
335## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
336## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200337##
Mohammed Naser65cda132024-05-02 14:34:08 -0400338resourcesPreset: "small"
339## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
340## Example:
341## resources:
342## requests:
343## cpu: 2
344## memory: 512Mi
345## limits:
346## cpu: 3
347## memory: 1024Mi
348##
349resources: {}
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200350## Configure extra options for Keycloak containers' liveness, readiness and startup probes
351## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
352## @param livenessProbe.enabled Enable livenessProbe on Keycloak containers
353## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
354## @param livenessProbe.periodSeconds Period seconds for livenessProbe
355## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
356## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
357## @param livenessProbe.successThreshold Success threshold for livenessProbe
358##
359livenessProbe:
360 enabled: true
361 initialDelaySeconds: 300
362 periodSeconds: 1
363 timeoutSeconds: 5
364 failureThreshold: 3
365 successThreshold: 1
366## @param readinessProbe.enabled Enable readinessProbe on Keycloak containers
367## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
368## @param readinessProbe.periodSeconds Period seconds for readinessProbe
369## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
370## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
371## @param readinessProbe.successThreshold Success threshold for readinessProbe
372##
373readinessProbe:
374 enabled: true
375 initialDelaySeconds: 30
376 periodSeconds: 10
377 timeoutSeconds: 1
378 failureThreshold: 3
379 successThreshold: 1
380## When enabling this, make sure to set initialDelaySeconds to 0 for livenessProbe and readinessProbe
381## @param startupProbe.enabled Enable startupProbe on Keycloak containers
382## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
383## @param startupProbe.periodSeconds Period seconds for startupProbe
384## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
385## @param startupProbe.failureThreshold Failure threshold for startupProbe
386## @param startupProbe.successThreshold Success threshold for startupProbe
387##
388startupProbe:
389 enabled: false
390 initialDelaySeconds: 30
391 periodSeconds: 5
392 timeoutSeconds: 1
393 failureThreshold: 60
394 successThreshold: 1
395## @param customLivenessProbe Custom Liveness probes for Keycloak
396##
397customLivenessProbe: {}
398## @param customReadinessProbe Custom Rediness probes Keycloak
399##
400customReadinessProbe: {}
401## @param customStartupProbe Custom Startup probes for Keycloak
402##
403customStartupProbe: {}
404## @param lifecycleHooks LifecycleHooks to set additional configuration at startup
405##
406lifecycleHooks: {}
Mohammed Naser65cda132024-05-02 14:34:08 -0400407## @param automountServiceAccountToken Mount Service Account token in pod
408##
409automountServiceAccountToken: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200410## @param hostAliases Deployment pod host aliases
411## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
412##
413hostAliases: []
414## @param podLabels Extra labels for Keycloak pods
415## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
416##
417podLabels: {}
418## @param podAnnotations Annotations for Keycloak pods
419## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
420##
421podAnnotations: {}
422## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
423## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
424##
425podAffinityPreset: ""
426## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
427## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
428##
429podAntiAffinityPreset: soft
430## Node affinity preset
431## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
432##
433nodeAffinityPreset:
434 ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
435 ##
436 type: ""
437 ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set.
438 ## E.g.
439 ## key: "kubernetes.io/e2e-az-name"
440 ##
441 key: ""
442 ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
443 ## E.g.
444 ## values:
445 ## - e2e-az1
446 ## - e2e-az2
447 ##
448 values: []
449## @param affinity Affinity for pod assignment
450## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
451##
452affinity: {}
453## @param nodeSelector Node labels for pod assignment
Mohammed Naser65cda132024-05-02 14:34:08 -0400454## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200455##
456nodeSelector: {}
457## @param tolerations Tolerations for pod assignment
458## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
459##
460tolerations: []
461## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
462## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
463##
464topologySpreadConstraints: []
465## @param podManagementPolicy Pod management policy for the Keycloak statefulset
466##
467podManagementPolicy: Parallel
468## @param priorityClassName Keycloak pods' Priority Class Name
469## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
470##
471priorityClassName: ""
472## @param schedulerName Use an alternate scheduler, e.g. "stork".
473## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
474##
475schedulerName: ""
476## @param terminationGracePeriodSeconds Seconds Keycloak pod needs to terminate gracefully
477## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
478##
479terminationGracePeriodSeconds: ""
480## @param updateStrategy.type Keycloak statefulset strategy type
481## @param updateStrategy.rollingUpdate Keycloak statefulset rolling update configuration parameters
482## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
483##
484updateStrategy:
485 type: RollingUpdate
486 rollingUpdate: {}
487## @param extraVolumes Optionally specify extra list of additional volumes for Keycloak pods
488##
489extraVolumes: []
490## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Keycloak container(s)
491##
492extraVolumeMounts: []
493## @param initContainers Add additional init containers to the Keycloak pods
494## Example:
495## initContainers:
496## - name: your-image-name
497## image: your-image
498## imagePullPolicy: Always
499## ports:
500## - name: portname
501## containerPort: 1234
502##
503initContainers: []
504## @param sidecars Add additional sidecar containers to the Keycloak pods
505## Example:
506## sidecars:
507## - name: your-image-name
508## image: your-image
509## imagePullPolicy: Always
510## ports:
511## - name: portname
512## containerPort: 1234
513##
514sidecars: []
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200515## @section Exposure parameters
516##
517
518## Service configuration
519##
520service:
521 ## @param service.type Kubernetes service type
522 ##
523 type: ClusterIP
524 ## @param service.http.enabled Enable http port on service
525 ##
526 http:
527 enabled: true
528 ## @param service.ports.http Keycloak service HTTP port
529 ## @param service.ports.https Keycloak service HTTPS port
530 ##
531 ports:
532 http: 80
533 https: 443
534 ## @param service.nodePorts [object] Specify the nodePort values for the LoadBalancer and NodePort service types.
535 ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
536 ##
537 nodePorts:
538 http: ""
539 https: ""
540 ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin
541 ## Values: ClientIP or None
Mohammed Naser65cda132024-05-02 14:34:08 -0400542 ## ref: https://kubernetes.io/docs/concepts/services-networking/service/
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200543 ##
544 sessionAffinity: None
545 ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
546 ## sessionAffinityConfig:
547 ## clientIP:
548 ## timeoutSeconds: 300
549 ##
550 sessionAffinityConfig: {}
551 ## @param service.clusterIP Keycloak service clusterIP IP
552 ## e.g:
553 ## clusterIP: None
554 ##
555 clusterIP: ""
556 ## @param service.loadBalancerIP loadBalancerIP for the SuiteCRM Service (optional, cloud specific)
Mohammed Naser65cda132024-05-02 14:34:08 -0400557 ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200558 ##
559 loadBalancerIP: ""
560 ## @param service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer
561 ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
562 ## Example:
563 ## loadBalancerSourceRanges:
564 ## - 10.10.10.0/24
565 ##
566 loadBalancerSourceRanges: []
567 ## @param service.externalTrafficPolicy Enable client source IP preservation
568 ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
569 ##
570 externalTrafficPolicy: Cluster
571 ## @param service.annotations Additional custom annotations for Keycloak service
572 ##
573 annotations: {}
574 ## @param service.extraPorts Extra port to expose on Keycloak service
575 ##
576 extraPorts: []
577 # DEPRECATED service.extraHeadlessPorts will be removed in a future release, please use service.headless.extraPorts instead
578 ## @param service.extraHeadlessPorts Extra ports to expose on Keycloak headless service
579 ##
580 extraHeadlessPorts: []
581 ## Headless service properties
582 ##
583 headless:
584 ## @param service.headless.annotations Annotations for the headless service.
585 ##
586 annotations: {}
587 ## @param service.headless.extraPorts Extra ports to expose on Keycloak headless service
588 ##
589 extraPorts: []
590## Keycloak ingress parameters
Mohammed Naser65cda132024-05-02 14:34:08 -0400591## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200592##
593ingress:
594 ## @param ingress.enabled Enable ingress record generation for Keycloak
595 ##
596 enabled: false
597 ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
598 ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
599 ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
600 ##
601 ingressClassName: ""
602 ## @param ingress.pathType Ingress path type
603 ##
604 pathType: ImplementationSpecific
605 ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
606 ##
607 apiVersion: ""
608 ## @param ingress.hostname Default host for the ingress record (evaluated as template)
609 ##
610 hostname: keycloak.local
611 ## @param ingress.path [string] Default path for the ingress record (evaluated as template)
612 ##
613 path: "{{ .Values.httpRelativePath }}"
614 ## @param ingress.servicePort Backend service port to use
615 ## Default is http. Alternative is https.
616 ##
617 servicePort: http
618 ## @param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
619 ## Use this parameter to set the required annotations for cert-manager, see
620 ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
621 ## e.g:
622 ## annotations:
623 ## kubernetes.io/ingress.class: nginx
624 ## cert-manager.io/cluster-issuer: cluster-issuer-name
625 ##
626 annotations: {}
627 ## @param ingress.labels Additional labels for the Ingress resource.
628 ## e.g:
629 ## labels:
630 ## app: keycloak
631 ##
632 labels: {}
633 ## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
634 ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}`
635 ## You can:
636 ## - Use the `ingress.secrets` parameter to create this TLS secret
637 ## - Rely on cert-manager to create it by setting the corresponding annotations
638 ## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
639 ##
640 tls: false
641 ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
642 ##
643 selfSigned: false
644 ## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
645 ## e.g:
646 ## extraHosts:
647 ## - name: keycloak.local
648 ## path: /
649 ##
650 extraHosts: []
651 ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host.
652 ## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
653 ## extraPaths:
654 ## - path: /*
655 ## backend:
656 ## serviceName: ssl-redirect
657 ## servicePort: use-annotation
658 ##
659 extraPaths: []
660 ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
661 ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
662 ## extraTls:
663 ## - hosts:
664 ## - keycloak.local
665 ## secretName: keycloak.local-tls
666 ##
667 extraTls: []
668 ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
669 ## key and certificate should start with -----BEGIN CERTIFICATE----- or
670 ## -----BEGIN RSA PRIVATE KEY-----
671 ##
672 ## name should line up with a tlsSecret set further up
673 ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
674 ##
675 ## It is also possible to create and manage the certificates outside of this helm chart
676 ## Please see README.md for more information
677 ## e.g:
678 ## - name: keycloak.local-tls
679 ## key:
680 ## certificate:
681 ##
682 secrets: []
683 ## @param ingress.extraRules Additional rules to be covered with this ingress record
684 ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
685 ## e.g:
686 ## extraRules:
687 ## - host: airflow.local
688 ## http:
689 ## path: /
690 ## backend:
691 ## service:
692 ## name: airflow-svc
693 ## port:
694 ## name: http
695 ##
696 extraRules: []
Mohammed Naser65cda132024-05-02 14:34:08 -0400697## Keycloak admin ingress parameters
698## ref: https://kubernetes.io/docs/user-guide/ingress/
699##
700adminIngress:
701 ## @param adminIngress.enabled Enable admin ingress record generation for Keycloak
702 ##
703 enabled: false
704 ## @param adminIngress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
705 ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
706 ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
707 ##
708 ingressClassName: ""
709 ## @param adminIngress.pathType Ingress path type
710 ##
711 pathType: ImplementationSpecific
712 ## @param adminIngress.apiVersion Force Ingress API version (automatically detected if not set)
713 ##
714 apiVersion: ""
715 ## @param adminIngress.hostname Default host for the admin ingress record (evaluated as template)
716 ##
717 hostname: keycloak.local
718 ## @param adminIngress.path [string] Default path for the admin ingress record (evaluated as template)
719 ##
720 path: "{{ .Values.httpRelativePath }}"
721 ## @param adminIngress.servicePort Backend service port to use
722 ## Default is http. Alternative is https.
723 ##
724 servicePort: http
725 ## @param adminIngress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
726 ## Use this parameter to set the required annotations for cert-manager, see
727 ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
728 ## e.g:
729 ## annotations:
730 ## kubernetes.io/ingress.class: nginx
731 ## cert-manager.io/cluster-issuer: cluster-issuer-name
732 ##
733 annotations: {}
734 ## @param adminIngress.labels Additional labels for the Ingress resource.
735 ## e.g:
736 ## labels:
737 ## app: keycloak
738 ##
739 labels: {}
740 ## @param adminIngress.tls Enable TLS configuration for the host defined at `adminIngress.hostname` parameter
741 ## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" (tpl .Values.adminIngress.hostname .) }}`
742 ## You can:
743 ## - Use the `adminIngress.secrets` parameter to create this TLS secret
744 ## - Rely on cert-manager to create it by setting the corresponding annotations
745 ## - Rely on Helm to create self-signed certificates by setting `adminIngress.selfSigned=true`
746 ##
747 tls: false
748 ## @param adminIngress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
749 ##
750 selfSigned: false
751 ## @param adminIngress.extraHosts An array with additional hostname(s) to be covered with the admin ingress record
752 ## e.g:
753 ## extraHosts:
754 ## - name: keycloak.local
755 ## path: /
756 ##
757 extraHosts: []
758 ## @param adminIngress.extraPaths Any additional arbitrary paths that may need to be added to the admin ingress under the main host.
759 ## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
760 ## extraPaths:
761 ## - path: /*
762 ## backend:
763 ## serviceName: ssl-redirect
764 ## servicePort: use-annotation
765 ##
766 extraPaths: []
767 ## @param adminIngress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
768 ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
769 ## extraTls:
770 ## - hosts:
771 ## - keycloak.local
772 ## secretName: keycloak.local-tls
773 ##
774 extraTls: []
775 ## @param adminIngress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
776 ## key and certificate should start with -----BEGIN CERTIFICATE----- or
777 ## -----BEGIN RSA PRIVATE KEY-----
778 ##
779 ## name should line up with a tlsSecret set further up
780 ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
781 ##
782 ## It is also possible to create and manage the certificates outside of this helm chart
783 ## Please see README.md for more information
784 ## e.g:
785 ## - name: keycloak.local-tls
786 ## key:
787 ## certificate:
788 ##
789 secrets: []
790 ## @param adminIngress.extraRules Additional rules to be covered with this ingress record
791 ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
792 ## e.g:
793 ## extraRules:
794 ## - host: airflow.local
795 ## http:
796 ## path: /
797 ## backend:
798 ## service:
799 ## name: airflow-svc
800 ## port:
801 ## name: http
802 ##
803 extraRules: []
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200804## Network Policy configuration
805## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
806##
807networkPolicy:
Mohammed Naser65cda132024-05-02 14:34:08 -0400808 ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200809 ##
Mohammed Naser65cda132024-05-02 14:34:08 -0400810 enabled: true
811 ## @param networkPolicy.allowExternal Don't require server label for connections
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200812 ## The Policy model to apply. When set to false, only pods with the correct
Mohammed Naser65cda132024-05-02 14:34:08 -0400813 ## server label will have network access to the ports server is listening
814 ## on. When true, server will accept connections from any source
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200815 ## (with the correct destination port).
816 ##
817 allowExternal: true
Mohammed Naser65cda132024-05-02 14:34:08 -0400818 ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200819 ##
Mohammed Naser65cda132024-05-02 14:34:08 -0400820 allowExternalEgress: true
821 ## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
822 ##
823 kubeAPIServerPorts: [443, 6443, 8443]
824 ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice
825 ## e.g:
826 ## extraIngress:
827 ## - ports:
828 ## - port: 1234
829 ## from:
830 ## - podSelector:
831 ## - matchLabels:
832 ## - role: frontend
833 ## - podSelector:
834 ## - matchExpressions:
835 ## - key: role
836 ## operator: In
837 ## values:
838 ## - frontend
839 extraIngress: []
840 ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
841 ## e.g:
842 ## extraEgress:
843 ## - ports:
844 ## - port: 1234
845 ## to:
846 ## - podSelector:
847 ## - matchLabels:
848 ## - role: frontend
849 ## - podSelector:
850 ## - matchExpressions:
851 ## - key: role
852 ## operator: In
853 ## values:
854 ## - frontend
855 ##
856 extraEgress: []
857 ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
858 ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
859 ##
860 ingressNSMatchLabels: {}
861 ingressNSPodMatchLabels: {}
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200862## @section RBAC parameter
863## Specifies whether a ServiceAccount should be created
864##
865serviceAccount:
866 ## @param serviceAccount.create Enable the creation of a ServiceAccount for Keycloak pods
867 ##
868 create: true
869 ## @param serviceAccount.name Name of the created ServiceAccount
870 ## If not set and create is true, a name is generated using the fullname template
871 ##
872 name: ""
873 ## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod
874 ##
Mohammed Naser65cda132024-05-02 14:34:08 -0400875 automountServiceAccountToken: false
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200876 ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
877 ##
878 annotations: {}
879 ## @param serviceAccount.extraLabels Additional labels for the ServiceAccount
880 ##
881 extraLabels: {}
882## Specifies whether RBAC resources should be created
883##
884rbac:
885 ## @param rbac.create Whether to create and use RBAC resources or not
886 ##
887 create: false
888 ## @param rbac.rules Custom RBAC rules
889 ## Example:
890 ## rules:
891 ## - apiGroups:
892 ## - ""
893 ## resources:
894 ## - pods
895 ## verbs:
896 ## - get
897 ## - list
898 ##
899 rules: []
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200900## @section Other parameters
901##
902
903## Keycloak Pod Disruption Budget configuration
904## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
905##
906pdb:
907 ## @param pdb.create Enable/disable a Pod Disruption Budget creation
908 ##
909 create: false
910 ## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
911 ##
912 minAvailable: 1
913 ## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
914 ##
915 maxUnavailable: ""
916## Keycloak Autoscaling configuration
917## @param autoscaling.enabled Enable autoscaling for Keycloak
918## @param autoscaling.minReplicas Minimum number of Keycloak replicas
919## @param autoscaling.maxReplicas Maximum number of Keycloak replicas
920## @param autoscaling.targetCPU Target CPU utilization percentage
921## @param autoscaling.targetMemory Target Memory utilization percentage
922##
923autoscaling:
924 enabled: false
925 minReplicas: 1
926 maxReplicas: 11
927 targetCPU: ""
928 targetMemory: ""
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200929## @section Metrics parameters
930##
931
932## Metrics configuration
933##
934metrics:
935 ## @param metrics.enabled Enable exposing Keycloak statistics
936 ## ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#enabling-statistics
937 ##
938 enabled: false
939 ## Keycloak metrics service parameters
940 ##
941 service:
942 ## @param metrics.service.ports.http Metrics service HTTP port
943 ##
944 ports:
945 http: 8080
946 ## @param metrics.service.annotations [object] Annotations for enabling prometheus to access the metrics endpoints
947 ##
948 annotations:
949 prometheus.io/scrape: "true"
950 prometheus.io/port: "{{ .Values.metrics.service.ports.http }}"
Mohammed Naser65cda132024-05-02 14:34:08 -0400951 ## @param metrics.service.extraPorts [array] Add additional ports to the keycloak metrics service (i.e. admin port 9000)
952 ##
953 extraPorts: []
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +0200954 ## Prometheus Operator ServiceMonitor configuration
955 ##
956 serviceMonitor:
957 ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
958 ##
959 enabled: false
960 ## @param metrics.serviceMonitor.port Metrics service HTTP port
961 ##
962 port: http
963 ## @param metrics.serviceMonitor.endpoints [array] The endpoint configuration of the ServiceMonitor. Path is mandatory. Interval, timeout and labellings can be overwritten.
964 ##
965 endpoints:
966 - path: '{{ include "keycloak.httpPath" . }}metrics'
967 - path: '{{ include "keycloak.httpPath" . }}realms/master/metrics'
968 ## @param metrics.serviceMonitor.path Metrics service HTTP path. Deprecated: Use @param metrics.serviceMonitor.endpoints instead
969 ##
970 path: ""
971 ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in
972 ##
973 namespace: ""
974 ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
975 ##
976 interval: 30s
977 ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
978 ## e.g:
979 ## scrapeTimeout: 30s
980 ##
981 scrapeTimeout: ""
982 ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus
983 ##
984 labels: {}
985 ## @param metrics.serviceMonitor.selector Prometheus instance selector labels
986 ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration
987 ##
988 selector: {}
989 ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
990 ##
991 relabelings: []
992 ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
993 ##
994 metricRelabelings: []
995 ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
996 ##
997 honorLabels: false
998 ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
999 ##
1000 jobLabel: ""
1001 ## Prometheus Operator alert rules configuration
1002 ##
1003 prometheusRule:
1004 ## @param metrics.prometheusRule.enabled Create PrometheusRule Resource for scraping metrics using PrometheusOperator
1005 ##
1006 enabled: false
1007 ## @param metrics.prometheusRule.namespace Namespace which Prometheus is running in
1008 ##
1009 namespace: ""
1010 ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus
1011 ##
1012 labels: {}
1013 ## @param metrics.prometheusRule.groups Groups, containing the alert rules.
1014 ## Example:
1015 ## groups:
1016 ## - name: Keycloak
1017 ## rules:
1018 ## - alert: KeycloakInstanceNotAvailable
1019 ## annotations:
1020 ## message: "Keycloak instance in namespace {{ `{{` }} $labels.namespace {{ `}}` }} has not been available for the last 5 minutes."
1021 ## expr: |
1022 ## absent(kube_pod_status_ready{namespace="{{ include "common.names.namespace" . }}", condition="true"} * on (pod) kube_pod_labels{pod=~"{{ include "common.names.fullname" . }}-\\d+", namespace="{{ include "common.names.namespace" . }}"}) != 0
1023 ## for: 5m
1024 ## labels:
1025 ## severity: critical
1026 groups: []
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001027## @section keycloak-config-cli parameters
1028
1029## Configuration for keycloak-config-cli
1030## ref: https://github.com/adorsys/keycloak-config-cli
1031##
1032keycloakConfigCli:
1033 ## @param keycloakConfigCli.enabled Whether to enable keycloak-config-cli job
1034 ##
1035 enabled: false
1036 ## Bitnami keycloak-config-cli image
1037 ## ref: https://hub.docker.com/r/bitnami/keycloak-config-cli/tags/
Mohammed Naser65cda132024-05-02 14:34:08 -04001038 ## @param keycloakConfigCli.image.registry [default: REGISTRY_NAME] keycloak-config-cli container image registry
1039 ## @param keycloakConfigCli.image.repository [default: REPOSITORY_NAME/keycloak-config-cli] keycloak-config-cli container image repository
1040 ## @skip keycloakConfigCli.image.tag keycloak-config-cli container image tag
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001041 ## @param keycloakConfigCli.image.digest keycloak-config-cli container image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
1042 ## @param keycloakConfigCli.image.pullPolicy keycloak-config-cli container image pull policy
1043 ## @param keycloakConfigCli.image.pullSecrets keycloak-config-cli container image pull secrets
1044 ##
1045 image:
1046 registry: docker.io
1047 repository: bitnami/keycloak-config-cli
Mohammed Naser65cda132024-05-02 14:34:08 -04001048 tag: 5.11.1-debian-12-r0
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001049 digest: ""
1050 ## Specify a imagePullPolicy
1051 ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
Mohammed Naser65cda132024-05-02 14:34:08 -04001052 ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001053 ##
1054 pullPolicy: IfNotPresent
1055 ## Optionally specify an array of imagePullSecrets.
1056 ## Secrets must be manually created in the namespace.
1057 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1058 ## e.g:
1059 ## pullSecrets:
1060 ## - myRegistryKeySecretName
1061 ##
1062 pullSecrets: []
1063 ## @param keycloakConfigCli.annotations [object] Annotations for keycloak-config-cli job
1064 ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1065 ##
1066 annotations:
1067 helm.sh/hook: "post-install,post-upgrade,post-rollback"
1068 helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
1069 helm.sh/hook-weight: "5"
1070 ## @param keycloakConfigCli.command Command for running the container (set to default if not set). Use array form
1071 ##
1072 command: []
1073 ## @param keycloakConfigCli.args Args for running the container (set to default if not set). Use array form
1074 ##
1075 args: []
Mohammed Naser65cda132024-05-02 14:34:08 -04001076 ## @param keycloakConfigCli.automountServiceAccountToken Mount Service Account token in pod
1077 ##
1078 automountServiceAccountToken: true
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001079 ## @param keycloakConfigCli.hostAliases Job pod host aliases
1080 ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1081 ##
1082 hostAliases: []
1083 ## Keycloak config CLI resource requests and limits
Mohammed Naser65cda132024-05-02 14:34:08 -04001084 ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1085 ## @param keycloakConfigCli.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if keycloakConfigCli.resources is set (keycloakConfigCli.resources is recommended for production).
1086 ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001087 ##
Mohammed Naser65cda132024-05-02 14:34:08 -04001088 resourcesPreset: "small"
1089 ## @param keycloakConfigCli.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1090 ## Example:
1091 ## resources:
1092 ## requests:
1093 ## cpu: 2
1094 ## memory: 512Mi
1095 ## limits:
1096 ## cpu: 3
1097 ## memory: 1024Mi
1098 ##
1099 resources: {}
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001100 ## keycloak-config-cli containers' Security Context
1101 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
Mohammed Naser65cda132024-05-02 14:34:08 -04001102 ## @param keycloakConfigCli.containerSecurityContext.enabled Enabled keycloak-config-cli Security Context
1103 ## @param keycloakConfigCli.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1104 ## @param keycloakConfigCli.containerSecurityContext.runAsUser Set keycloak-config-cli Security Context runAsUser
1105 ## @param keycloakConfigCli.containerSecurityContext.runAsGroup Set keycloak-config-cli Security Context runAsGroup
1106 ## @param keycloakConfigCli.containerSecurityContext.runAsNonRoot Set keycloak-config-cli Security Context runAsNonRoot
1107 ## @param keycloakConfigCli.containerSecurityContext.privileged Set keycloak-config-cli Security Context privileged
1108 ## @param keycloakConfigCli.containerSecurityContext.readOnlyRootFilesystem Set keycloak-config-cli Security Context readOnlyRootFilesystem
1109 ## @param keycloakConfigCli.containerSecurityContext.allowPrivilegeEscalation Set keycloak-config-cli Security Context allowPrivilegeEscalation
1110 ## @param keycloakConfigCli.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1111 ## @param keycloakConfigCli.containerSecurityContext.seccompProfile.type Set keycloak-config-cli Security Context seccomp profile
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001112 ##
1113 containerSecurityContext:
1114 enabled: true
Mohammed Naser65cda132024-05-02 14:34:08 -04001115 seLinuxOptions: {}
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001116 runAsUser: 1001
Mohammed Naser65cda132024-05-02 14:34:08 -04001117 runAsGroup: 1001
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001118 runAsNonRoot: true
Mohammed Naser65cda132024-05-02 14:34:08 -04001119 privileged: false
1120 readOnlyRootFilesystem: true
1121 allowPrivilegeEscalation: false
1122 capabilities:
1123 drop: ["ALL"]
1124 seccompProfile:
1125 type: "RuntimeDefault"
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001126 ## keycloak-config-cli pods' Security Context
1127 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1128 ## @param keycloakConfigCli.podSecurityContext.enabled Enabled keycloak-config-cli pods' Security Context
Mohammed Naser65cda132024-05-02 14:34:08 -04001129 ## @param keycloakConfigCli.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1130 ## @param keycloakConfigCli.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1131 ## @param keycloakConfigCli.podSecurityContext.supplementalGroups Set filesystem extra groups
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001132 ## @param keycloakConfigCli.podSecurityContext.fsGroup Set keycloak-config-cli pod's Security Context fsGroup
1133 ##
1134 podSecurityContext:
1135 enabled: true
Mohammed Naser65cda132024-05-02 14:34:08 -04001136 fsGroupChangePolicy: Always
1137 sysctls: []
1138 supplementalGroups: []
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001139 fsGroup: 1001
1140 ## @param keycloakConfigCli.backoffLimit Number of retries before considering a Job as failed
1141 ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy
1142 ##
1143 backoffLimit: 1
1144 ## @param keycloakConfigCli.podLabels Pod extra labels
1145 ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1146 ##
1147 podLabels: {}
1148 ## @param keycloakConfigCli.podAnnotations Annotations for job pod
1149 ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1150 ##
1151 podAnnotations: {}
1152 ## @param keycloakConfigCli.extraEnvVars Additional environment variables to set
1153 ## Example:
1154 ## extraEnvVars:
1155 ## - name: FOO
1156 ## value: "bar"
1157 ##
1158 ## @param keycloakConfigCli.nodeSelector Node labels for pod assignment
Mohammed Naser65cda132024-05-02 14:34:08 -04001159 ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001160 ##
1161 nodeSelector: {}
1162 ##
1163 ## @param keycloakConfigCli.podTolerations Tolerations for job pod assignment
1164 ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1165 ##
1166 podTolerations: []
1167 extraEnvVars: []
1168 ## @param keycloakConfigCli.extraEnvVarsCM ConfigMap with extra environment variables
1169 ##
1170 extraEnvVarsCM: ""
1171 ## @param keycloakConfigCli.extraEnvVarsSecret Secret with extra environment variables
1172 ##
1173 extraEnvVarsSecret: ""
1174 ## @param keycloakConfigCli.extraVolumes Extra volumes to add to the job
1175 ##
1176 extraVolumes: []
1177 ## @param keycloakConfigCli.extraVolumeMounts Extra volume mounts to add to the container
1178 ##
1179 extraVolumeMounts: []
1180 ## @param keycloakConfigCli.initContainers Add additional init containers to the Keycloak config cli pod
1181 ## Example:
1182 ## initContainers:
1183 ## - name: your-image-name
1184 ## image: your-image
1185 ## imagePullPolicy: Always
1186 ## ports:
1187 ## - name: portname
1188 ## containerPort: 1234
1189 ##
1190 initContainers: []
1191 ## @param keycloakConfigCli.sidecars Add additional sidecar containers to the Keycloak config cli pod
1192 ## Example:
1193 ## sidecars:
1194 ## - name: your-image-name
1195 ## image: your-image
1196 ## imagePullPolicy: Always
1197 ## ports:
1198 ## - name: portname
1199 ## containerPort: 1234
1200 ##
1201 sidecars: []
1202 ## @param keycloakConfigCli.configuration keycloak-config-cli realms configuration
1203 ## NOTE: nil keys will be considered files to import locally
1204 ## Example:
1205 ## configuration:
1206 ## realm1.json: |
1207 ## {
1208 ## "realm": "realm1",
1209 ## "clients": []
1210 ## }
1211 ## realm2.yaml: |
1212 ## realm: realm2
1213 ## clients: []
1214 ##
1215 configuration: {}
Mohammed Naser65cda132024-05-02 14:34:08 -04001216 ## @param keycloakConfigCli.existingConfigmap ConfigMap with keycloak-config-cli configuration
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001217 ## NOTE: This will override keycloakConfigCli.configuration
1218 ##
1219 existingConfigmap: ""
1220 ## Automatic Cleanup for Finished Jobs
1221 ## @param keycloakConfigCli.cleanupAfterFinished.enabled Enables Cleanup for Finished Jobs
1222 ## @param keycloakConfigCli.cleanupAfterFinished.seconds Sets the value of ttlSecondsAfterFinished
1223 ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
1224 ##
1225 cleanupAfterFinished:
1226 enabled: false
1227 seconds: 600
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001228## @section Database parameters
1229
1230## PostgreSQL chart configuration
1231## ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml
1232## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart
1233## @param postgresql.auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided
1234## @param postgresql.auth.username Name for a custom user to create
1235## @param postgresql.auth.password Password for the custom user to create
1236## @param postgresql.auth.database Name for a custom database to create
1237## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials
1238## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`)
1239##
1240postgresql:
1241 enabled: true
1242 auth:
1243 postgresPassword: ""
1244 username: bn_keycloak
1245 password: ""
1246 database: bitnami_keycloak
1247 existingSecret: ""
1248 architecture: standalone
1249## External PostgreSQL configuration
1250## All of these values are only used when postgresql.enabled is set to false
1251## @param externalDatabase.host Database host
1252## @param externalDatabase.port Database port number
1253## @param externalDatabase.user Non-root username for Keycloak
1254## @param externalDatabase.password Password for the non-root username for Keycloak
1255## @param externalDatabase.database Keycloak database name
1256## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials
1257## @param externalDatabase.existingSecretHostKey Name of an existing secret key containing the database host name
1258## @param externalDatabase.existingSecretPortKey Name of an existing secret key containing the database port
1259## @param externalDatabase.existingSecretUserKey Name of an existing secret key containing the database user
1260## @param externalDatabase.existingSecretDatabaseKey Name of an existing secret key containing the database name
1261## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials
Mohammed Naser65cda132024-05-02 14:34:08 -04001262## @param externalDatabase.annotations Additional custom annotations for external database secret object
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001263##
1264externalDatabase:
1265 host: ""
1266 port: 5432
1267 user: bn_keycloak
1268 database: bitnami_keycloak
1269 password: ""
1270 existingSecret: ""
1271 existingSecretHostKey: ""
1272 existingSecretPortKey: ""
1273 existingSecretUserKey: ""
1274 existingSecretDatabaseKey: ""
1275 existingSecretPasswordKey: ""
Mohammed Naser65cda132024-05-02 14:34:08 -04001276 annotations: {}
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001277## @section Keycloak Cache parameters
1278
1279## Keycloak cache configuration
1280## ref: https://www.keycloak.org/server/caching
1281## @param cache.enabled Switch to enable or disable the keycloak distributed cache for kubernetes.
1282## NOTE: Set to false to use 'local' cache (only supported when replicaCount=1).
1283## @param cache.stackName Set infinispan cache stack to use
1284## @param cache.stackFile Set infinispan cache stack filename to use
1285##
1286cache:
1287 enabled: true
1288 stackName: kubernetes
1289 stackFile: ""
Oleksandr Kozachenkob0093492023-09-06 21:43:47 +02001290## @section Keycloak Logging parameters
1291
1292## Keycloak logging configuration
1293## ref: https://www.keycloak.org/server/logging
1294## @param logging.output Alternates between the default log output format or json format
1295## @param logging.level Allowed values as documented: FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL, OFF
1296##
1297logging:
1298 output: default
1299 level: INFO