charts/keycloak/templates/statefulset.yaml

{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}

apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
  name: {{ template "common.names.fullname" . }}
  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
    app.kubernetes.io/component: keycloak
  {{- if or .Values.statefulsetAnnotations .Values.commonAnnotations }}
  annotations: {{- include "common.tplvalues.merge" ( dict "values" ( list .Values.statefulsetAnnotations .Values.commonAnnotations ) "context" $ ) | nindent 4 }}
  {{- end }}
spec:
  {{- if not .Values.autoscaling.enabled }}
  replicas: {{ .Values.replicaCount }}
  {{- end }}
  revisionHistoryLimit: {{ .Values.revisionHistoryLimitCount }}
  podManagementPolicy: {{ .Values.podManagementPolicy }}
  serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
  updateStrategy:
    {{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $ ) | nindent 4 }}
  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
  selector:
    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
      app.kubernetes.io/component: keycloak
  template:
    metadata:
      annotations:
        checksum/configmap-env-vars: {{ include (print $.Template.BasePath "/configmap-env-vars.yaml") . | sha256sum }}
        {{- if not .Values.auth.existingSecret  }}
        checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
        {{- end }}
        {{- if (include "keycloak.createConfigmap" .) }}
        checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
        {{- end }}
        {{- if .Values.podAnnotations }}
        {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
        {{- end }}
      labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
        app.kubernetes.io/component: keycloak
    spec:
      serviceAccountName: {{ template "keycloak.serviceAccountName" . }}
      {{- include "keycloak.imagePullSecrets" . | nindent 6 }}
      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
      {{- if .Values.hostAliases }}
      hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
      {{- end }}
      {{- if .Values.affinity }}
      affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }}
      {{- else }}
      affinity:
        podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
        podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
        nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }}
      {{- end }}
      {{- if .Values.nodeSelector }}
      nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
      {{- end }}
      {{- if .Values.tolerations }}
      tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
      {{- end }}
      {{- if .Values.topologySpreadConstraints }}
      topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }}
      {{- end }}
      {{- if .Values.priorityClassName }}
      priorityClassName: {{ .Values.priorityClassName | quote }}
      {{- end }}
      {{- if .Values.schedulerName }}
      schedulerName: {{ .Values.schedulerName }}
      {{- end }}
      {{- if .Values.podSecurityContext.enabled }}
      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
      {{- end }}
      {{- if .Values.dnsPolicy }}
      dnsPolicy: {{ .Values.dnsPolicy }}
      {{- end }}
      {{- if .Values.dnsConfig }}
      dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dnsConfig "context" .) | nindent 8 }}
      {{- end }}
      {{- if semverCompare ">= 1.13" (include "common.capabilities.kubeVersion" .) }}
      enableServiceLinks: {{ .Values.enableServiceLinks }}
      {{- end }}
      {{- if .Values.terminationGracePeriodSeconds }}
      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
      {{- end }}
      {{- if or .Values.enableDefaultInitContainers .Values.initContainers }}
      initContainers:
        {{- if .Values.enableDefaultInitContainers }}
        - name: init-quarkus-directory
          image: {{ template "keycloak.image" . }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command:
            - /bin/bash
          args:
            - -ec
            - |
              #!/bin/bash
              cp -r /opt/bitnami/keycloak/lib/quarkus/* /quarkus
          {{- if .Values.containerSecurityContext.enabled }}
          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.resources }}
          resources: {{- toYaml .Values.resources | nindent 12 }}
          {{- else if ne .Values.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
          {{- end }}
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            - name: empty-dir
              mountPath: /quarkus
              subPath: app-quarkus-dir
        {{- end }}
        {{- if .Values.initContainers }}
        {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
        {{- end }}
      {{- end }}
      containers:
        - name: keycloak
          image: {{ template "keycloak.image" . }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          {{- if .Values.lifecycleHooks }}
          lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.containerSecurityContext.enabled }}
          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.diagnosticMode.enabled }}
          command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
          {{- else if .Values.command }}
          command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.diagnosticMode.enabled }}
          args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
          {{- else if .Values.args }}
          args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }}
          {{- end }}
          env:
            - name: KUBERNETES_NAMESPACE
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
            - name: BITNAMI_DEBUG
              value: {{ ternary "true" "false" .Values.image.debug | quote }}
            - name: KEYCLOAK_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ include "keycloak.secretName" . }}
                  key: {{ include "keycloak.secretKey" . }}
            - name: KEYCLOAK_DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ include "keycloak.databaseSecretName" . }}
                  key: {{ include "keycloak.databaseSecretPasswordKey" . }}
            {{- if .Values.externalDatabase.existingSecretHostKey }}
            - name: KEYCLOAK_DATABASE_HOST
              valueFrom:
                secretKeyRef:
                  name: {{ include "keycloak.databaseSecretName" . }}
                  key: {{ include "keycloak.databaseSecretHostKey" . }}
            {{- end }}
            {{- if .Values.externalDatabase.existingSecretPortKey }}
            - name: KEYCLOAK_DATABASE_PORT
              valueFrom:
                secretKeyRef:
                  name: {{ include "keycloak.databaseSecretName" . }}
                  key: {{ include "keycloak.databaseSecretPortKey" . }}
            {{- end }}
            {{- if .Values.externalDatabase.existingSecretUserKey }}
            - name: KEYCLOAK_DATABASE_USER
              valueFrom:
                secretKeyRef:
                  name: {{ include "keycloak.databaseSecretName" . }}
                  key: {{ include "keycloak.databaseSecretUserKey" . }}
            {{- end }}
            {{- if .Values.externalDatabase.existingSecretDatabaseKey }}
            - name: KEYCLOAK_DATABASE_NAME
              valueFrom:
                secretKeyRef:
                  name: {{ include "keycloak.databaseSecretName" . }}
                  key: {{ include "keycloak.databaseSecretDatabaseKey" . }}
            {{- end }}
            {{- if and .Values.tls.enabled (or .Values.tls.keystorePassword .Values.tls.passwordsSecret) }}
            - name: KEYCLOAK_HTTPS_KEY_STORE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ include "keycloak.tlsPasswordsSecretName" . }}
                  key: "tls-keystore-password"
            {{- end }}
            {{- if and .Values.tls.enabled (or .Values.tls.truststorePassword .Values.tls.passwordsSecret) }}
            - name: KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ include "keycloak.tlsPasswordsSecretName" . }}
                  key: "tls-truststore-password"
            {{- end }}
            {{- if and .Values.spi.existingSecret (or .Values.spi.truststorePassword .Values.spi.passwordsSecret) }}
            - name: KEYCLOAK_SPI_TRUSTSTORE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ include "keycloak.spiPasswordsSecretName" . }}
                  key: "spi-truststore-password"
            {{- end }}
            - name: KEYCLOAK_HTTP_RELATIVE_PATH
              value: {{ .Values.httpRelativePath | quote }}
            {{- if .Values.extraStartupArgs }}
            - name: KEYCLOAK_EXTRA_ARGS
              value: {{ .Values.extraStartupArgs | quote }}
            {{- end }}
            {{- if .Values.adminIngress.enabled }}
            - name: KC_HOSTNAME_ADMIN_URL
              value: "http{{ if .Values.adminIngress.tls }}s{{ end }}://{{ include "common.tplvalues.render" (dict "value" .Values.adminIngress.hostname "context" $) }}"
            {{- end }}
            {{- if and .Values.adminIngress.enabled (not .Values.ingress.enabled) }}
            - name: KC_HOSTNAME_URL
              value: "http{{ if .Values.adminIngress.tls }}s{{ end }}://{{ include "common.tplvalues.render" (dict "value" .Values.adminIngress.hostname "context" $) }}"
            {{- end }}
            {{- if .Values.extraEnvVars }}
            {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
            {{- end }}
          envFrom:
            - configMapRef:
                name: {{ printf "%s-env-vars" (include "common.names.fullname" .) }}
            {{- if .Values.extraEnvVarsCM }}
            - configMapRef:
                name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }}
            {{- end }}
            {{- if .Values.extraEnvVarsSecret }}
            - secretRef:
                name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
            {{- end }}
          {{- if .Values.resources }}
          resources: {{- toYaml .Values.resources | nindent 12 }}
          {{- else if ne .Values.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
          {{- end }}
          ports:
            - name: http
              containerPort: {{ .Values.containerPorts.http }}
              protocol: TCP
            {{- if .Values.tls.enabled }}
            - name: https
              containerPort: {{ .Values.containerPorts.https }}
              protocol: TCP
            {{- end }}
            {{- /* Constant in code: https://github.com/keycloak/keycloak/blob/ce8e925c1ad9bf7a3180d1496e181aeea0ab5f8a/operator/src/main/java/org/keycloak/operator/Constants.java#L60 */}}
            - name: discovery
              containerPort: 7800
            {{- if .Values.extraContainerPorts }}
            {{- include "common.tplvalues.render" (dict "value" .Values.extraContainerPorts "context" $) | nindent 12 }}
            {{- end }}
          {{- if not .Values.diagnosticMode.enabled }}
          {{- if .Values.customStartupProbe }}
          startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
          {{- else if .Values.startupProbe.enabled }}
          startupProbe: {{- omit .Values.startupProbe "enabled" | toYaml | nindent 12 }}
            httpGet:
              path: {{ .Values.httpRelativePath }}
              port: http
          {{- end }}
          {{- if .Values.customLivenessProbe }}
          livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
          {{- else if .Values.livenessProbe.enabled }}
          livenessProbe: {{- omit .Values.livenessProbe "enabled" | toYaml | nindent 12 }}
            tcpSocket:
              port: http
          {{- end }}
          {{- if .Values.customReadinessProbe }}
          readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
          {{- else if .Values.readinessProbe.enabled }}
          readinessProbe: {{- omit .Values.readinessProbe "enabled" | toYaml | nindent 12 }}
            httpGet:
              path: {{ .Values.httpRelativePath }}realms/master
              port: http
          {{- end }}
          {{- end }}
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            - name: empty-dir
              mountPath: /opt/bitnami/keycloak/conf
              subPath: app-conf-dir
            - name: empty-dir
              mountPath: /opt/bitnami/keycloak/lib/quarkus
              subPath: app-quarkus-dir
            - name: empty-dir
              mountPath: /opt/bitnami/keycloak/data
              subPath: app-data-dir
            {{- if or .Values.configuration .Values.existingConfigmap }}
            - name: keycloak-config
              mountPath: /bitnami/keycloak/conf/keycloak.conf
              subPath: keycloak.conf
            {{- end }}
            {{- if .Values.tls.enabled }}
            - name: certificates
              mountPath: /opt/bitnami/keycloak/certs
              readOnly: true
            {{- end }}
            {{- if .Values.spi.existingSecret }}
            - name: spi-certificates
              mountPath: /opt/bitnami/keycloak/spi-certs
              readOnly: true
            {{- end }}
            {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
            - name: custom-init-scripts
              mountPath: /docker-entrypoint-initdb.d
            {{- end }}
            {{- if .Values.extraVolumeMounts }}
            {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
            {{- end }}
        {{- if .Values.sidecars }}
        {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }}
        {{- end }}
      volumes:
        - name: empty-dir
          emptyDir: {}
        {{- if or .Values.configuration .Values.existingConfigmap }}
        - name: keycloak-config
          configMap:
            name: {{ include "keycloak.configmapName" . }}
        {{- end }}
        {{- if .Values.tls.enabled }}
        - name: certificates
          secret:
            secretName: {{ include "keycloak.tlsSecretName" . }}
            defaultMode: 420
        {{- end }}
        {{- if .Values.spi.existingSecret }}
        - name: spi-certificates
          secret:
            secretName: {{ .Values.spi.existingSecret }}
            defaultMode: 420
        {{- end }}
        {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
        - name: custom-init-scripts
          configMap:
            name: {{ include "keycloak.initdbScriptsCM" . }}
        {{- end }}
        {{- if .Values.extraVolumes }}
        {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
        {{- end }}