--- bases: - envs/common.yaml --- releases: ####################################################################################### ## keycloak ## ## Keycloak is an open source identity and access management system ## ####################################################################################### # # References: # - https://github.com/codecentric/helm-charts/tree/master/charts/keycloakx # - https://www.keycloak.org/ # - name: "keycloakx" namespace: "security" labels: chart: "keycloakx" repo: "codecentric" component: "sso" namespace: "security" vendor: "keycloakx" default: "false" chart: "codecentric/keycloakx" {{- if eq .Values.global.platform "openshift" }} hooks: - events: ["prepare"] showlogs: true command: "kubectl" args: ["apply", "-f", "../resources/keycloak-scc.yaml"] - events: ["postuninstall"] showlogs: true command: "kubectl" args: ["delete", "-f", "../resources/keycloak-scc.yaml"] {{- end }} version: "2.2.1" wait: true installed: true values: - replicas: 1 # Deploy the latest verion image: tag: "20.0.3" # start: create OpenShift realm which is required by KRCI extraInitContainers: | - name: realm-provider image: busybox imagePullPolicy: IfNotPresent command: - sh args: - -c - | echo '{"realm": "openshift","enabled": true}' > /opt/keycloak/data/import/openshift.json volumeMounts: - name: realm mountPath: /opt/keycloak/data/import extraVolumeMounts: | - name: realm mountPath: /opt/keycloak/data/import extraVolumes: | - name: realm emptyDir: {} command: - "/opt/keycloak/bin/kc.sh" - "--verbose" - "start" - "--http-enabled=true" - "--http-port=8080" - "--hostname-strict=false" - "--hostname-strict-https=false" - "--spi-events-listener-jboss-logging-success-level=info" - "--spi-events-listener-jboss-logging-error-level=warn" - "--import-realm" extraEnv: | - name: KC_PROXY value: "passthrough" - name: KEYCLOAK_ADMIN valueFrom: secretKeyRef: name: keycloak-admin-creds key: username - name: KEYCLOAK_ADMIN_PASSWORD valueFrom: secretKeyRef: name: keycloak-admin-creds key: password - name: JAVA_OPTS_APPEND value: >- -XX:+UseContainerSupport -XX:MaxRAMPercentage=50.0 -Djava.awt.headless=true -Djgroups.dns.query=keycloakx-headless # The following parameter is unrecommended to expose. Exposed health checks lead to an unnecessary attack vector. health: enabled: false # The following parameter is unrecommended to expose. Exposed metrics lead to an unnecessary attack vector. metrics: enabled: false {{- if eq .Values.global.platform "kubernetes" }} # This block is for Keycloak on Kubernetes. ingress: enabled: true annotations: kubernetes.io/ingress.class: nginx ingress.kubernetes.io/affinity: cookie # The following parameter is unrecommended to expose. Admin paths lead to an unnecessary attack vector. console: enabled: false rules: - host: keycloak.{{ .Values.global.dnsWildCard }} paths: - path: "/auth/" pathType: Prefix {{- end}} {{- if eq .Values.global.platform "openshift" }} route: enabled: true # Path for the Route path: "/auth/" # Host name for the Route host: keycloak.{{ .Values.global.dnsWildCard }} # TLS configuration tls: enabled: true {{- end }} resources: limits: memory: "2048Mi" requests: cpu: "50m" memory: "512Mi" # Check database readiness at startup dbchecker: enabled: true database: vendor: postgres existingSecret: keycloak-postgresql hostname: postgresql-keycloak port: 5432 username: admin database: keycloak