marko/HelmChartSammlung
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add initial Keycloak Helm chart with comprehensive configuration

Browse Source 
This commit introduces a complete Helm chart for deploying Keycloak on
Kubernetes. The chart includes a variety of configurations such as
service and ingress definitions, metrics exposure, resource limits, and
autoscaling options.

Key features include:
- Full support for PostgreSQL as a database, configurable through chart
  values.
- Ingress resources for external access, including support for TLS and
  admin interfaces.
- Options to use custom configurations and initialization scripts via
  ConfigMaps.
- Metrics service for Prometheus integration, alongside ServiceMonitor
  configurations for Kubernetes monitoring.
- Enhanced environment variables management, including secret handling
  for sensitive data like passwords.

These changes provide a robust foundation for deploying Keycloak in
both development and production environments. Users should be aware
that this initial setup gives flexibility for customization, but care
should be taken when altering default configurations to ensure
compatibility with existing deployments.
This commit is contained in:
Marko Oldenburg
2025-08-10 11:04:12 +02:00
parent a5a977cb5f
commit c084706fc8
33 changed files with 6147 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

109
charts/keycloak/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,109 @@
CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}
⚠ WARNING: Since August 28th, 2025, only a limited subset of images/charts are available for free.
Subscribe to Bitnami Secure Images to receive continued support and security updates.
More info at https://bitnami.com and https://github.com/bitnami/containers/issues/83267
** Please be patient while the chart is being deployed **
Keycloak can be accessed through the following DNS name from within your cluster:
{{ include "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }} (port {{ coalesce .Values.service.ports.http .Values.service.port }})
To access Keycloak from outside the cluster execute the following commands:
{{- if .Values.ingress.enabled }}
1. Get the Keycloak URL and associate its hostname to your cluster external IP:
export CLUSTER_IP=$(minikube ip) # On Minikube. Use: `kubectl cluster-info` on others K8s clusters
echo "Keycloak URL: http{{ if .Values.ingress.tls }}s{{ end }}://{{ (tpl .Values.ingress.hostname .) }}/"
echo "$CLUSTER_IP {{ (tpl .Values.ingress.hostname .) }}" | sudo tee -a /etc/hosts
{{- if .Values.adminIngress.enabled }}
The admin area of Keycloak has been configured to point to a different domain ({{ .Values.adminIngress.hostname }}). Please remember to update the `frontendUrl` property of the `{{ .Values.adminRealm | default "master" }}` (or any other) realm for it to work properly (see README for an example) :
echo "Keycloak admin URL: http{{ if .Values.adminIngress.tls }}s{{ end }}://{{ (tpl .Values.adminIngress.hostname .) }}/"
echo "$CLUSTER_IP {{ (tpl .Values.adminIngress.hostname .) }}" | sudo tee -a /etc/hosts
{{- end }}
{{- else }}
1. Get the Keycloak URL by running these commands:
{{- if contains "NodePort" .Values.service.type }}
export HTTP_NODE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[?(@.name=='http')].nodePort}" services {{ include "common.names.fullname" . }})
{{- if .Values.tls.enabled }}
export HTTPS_NODE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[?(@.name=='https')].nodePort}" services {{ include "common.names.fullname" . }})
{{- end }}
export NODE_IP=$(kubectl get nodes --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo "http://${NODE_IP}:${HTTP_NODE_PORT}/"
{{- if .Values.tls.enabled }}
echo "https://${NODE_IP}:${HTTPS_NODE_PORT}/"
{{- end }}
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch its status by running 'kubectl get --namespace {{ include "common.names.namespace" . }} svc -w {{ include "common.names.fullname" . }}'
export HTTP_SERVICE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[?(@.name=='http')].port}" services {{ include "common.names.fullname" . }})
{{- if .Values.tls.enabled }}
export HTTPS_SERVICE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[?(@.name=='https')].port}" services {{ include "common.names.fullname" . }})
{{- end }}
export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.names.namespace" . }} {{ include "common.names.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo "http://${SERVICE_IP}:${HTTP_SERVICE_PORT}/"
{{- if .Values.tls.enabled }}
echo "https://${SERVICE_IP}:${HTTPS_SERVICE_PORT}/"
{{- end }}
{{- else if contains "ClusterIP" .Values.service.type }}
export HTTP_SERVICE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[?(@.name=='http')].port}" services {{ include "common.names.fullname" . }})
{{- if .Values.tls.enabled }}
export HTTPS_SERVICE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[?(@.name=='https')].port}" services {{ include "common.names.fullname" . }})
kubectl port-forward --namespace {{ include "common.names.namespace" . }} svc/{{ include "common.names.fullname" . }} ${HTTP_SERVICE_PORT}:${HTTP_SERVICE_PORT} ${HTTPS_SERVICE_PORT}:${HTTPS_SERVICE_PORT} &
{{- else }}
kubectl port-forward --namespace {{ include "common.names.namespace" . }} svc/{{ include "common.names.fullname" . }} ${HTTP_SERVICE_PORT}:${HTTP_SERVICE_PORT} &
{{- end }}
echo "http://127.0.0.1:${HTTP_SERVICE_PORT}/"
{{- if .Values.tls.enabled }}
echo "https://127.0.0.1:${HTTPS_SERVICE_PORT}/"
{{- end }}
{{- end }}
{{- end }}
2. Access Keycloak using the obtained URL.
{{- if and .Values.auth.adminUser .Values.auth.adminPassword }}
3. Access the Administration Console using the following credentials:
echo Username: {{ .Values.auth.adminUser }}
echo Password: $(kubectl get secret --namespace {{ include "common.names.namespace" . }} {{ include "keycloak.secretName" . }} -o jsonpath="{.data.{{ include "keycloak.secretKey" .}}}" | base64 -d)
{{- end }}
{{- if .Values.metrics.enabled }}
You can access the Prometheus metrics following the steps below:
1. Get the Keycloak Prometheus metrics URL by running:
{{- $metricsPort := coalesce .Values.metrics.service.ports.metrics .Values.metrics.service.port | toString }}
kubectl port-forward --namespace {{ include "common.names.namespace" . }} svc/{{ printf "%s-metrics" (include "common.names.fullname" .) }} {{ $metricsPort }}:{{ $metricsPort }} &
echo "Keycloak Prometheus metrics URL: http://127.0.0.1:{{ $metricsPort }}/metrics"
2. Open a browser and access Keycloak Prometheus metrics using the obtained URL.
{{- end }}
{{- include "keycloak.validateValues" . }}
{{- include "common.warnings.rollingTag" .Values.image }}
{{- include "common.warnings.rollingTag" .Values.keycloakConfigCli.image }}
{{- include "common.warnings.resources" (dict "sections" (list "keycloakConfigCli" "") "context" $) }}
{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.keycloakConfigCli.image) "context" $) }}
{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.keycloakConfigCli.image) "context" $) }}

355
charts/keycloak/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,355 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/*
Return the proper Keycloak image name
*/}}
{{- define "keycloak.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper keycloak-config-cli image name
*/}}
{{- define "keycloak.keycloakConfigCli.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.keycloakConfigCli.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the keycloak-config-cli configuration configmap.
*/}}
{{- define "keycloak.keycloakConfigCli.configmapName" -}}
{{- if .Values.keycloakConfigCli.existingConfigmap -}}
{{- printf "%s" (tpl .Values.keycloakConfigCli.existingConfigmap $) -}}
{{- else -}}
{{- printf "%s-keycloak-config-cli-configmap" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a configmap object should be created for keycloak-config-cli
*/}}
{{- define "keycloak.keycloakConfigCli.createConfigmap" -}}
{{- if and .Values.keycloakConfigCli.enabled .Values.keycloakConfigCli.configuration (not .Values.keycloakConfigCli.existingConfigmap) -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "keycloak.imagePullSecrets" -}}
{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.keycloakConfigCli.image) "context" $) -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "keycloak.postgresql.fullname" -}}
{{- include "common.names.dependency.fullname" (dict "chartName" "postgresql" "chartValues" .Values.postgresql "context" $) -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "keycloak.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the path Keycloak is hosted on. This looks at httpRelativePath and returns it with a trailing slash. For example:
/ -> / (the default httpRelativePath)
/auth -> /auth/ (trailing slash added)
/custom/ -> /custom/ (unchanged)
*/}}
{{- define "keycloak.httpPath" -}}
{{ ternary .Values.httpRelativePath (printf "%s%s" .Values.httpRelativePath "/") (hasSuffix "/" .Values.httpRelativePath) }}
{{- end -}}
{{/*
Return the Keycloak configuration configmap
*/}}
{{- define "keycloak.configmapName" -}}
{{- if .Values.existingConfigmap -}}
{{- printf "%s" (tpl .Values.existingConfigmap $) -}}
{{- else -}}
{{- printf "%s-configuration" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a configmap object should be created
*/}}
{{- define "keycloak.createConfigmap" -}}
{{- if and .Values.configuration (not .Values.existingConfigmap) }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the Database hostname
*/}}
{{- define "keycloak.databaseHost" -}}
{{- if eq .Values.postgresql.architecture "replication" }}
{{- ternary (include "keycloak.postgresql.fullname" .) (tpl .Values.externalDatabase.host $) .Values.postgresql.enabled -}}-primary
{{- else -}}
{{- ternary (include "keycloak.postgresql.fullname" .) (tpl .Values.externalDatabase.host $) .Values.postgresql.enabled -}}
{{- end -}}
{{- end -}}
{{/*
Return the Database port
*/}}
{{- define "keycloak.databasePort" -}}
{{- ternary "5432" (tpl (.Values.externalDatabase.port | toString) $) .Values.postgresql.enabled | quote -}}
{{- end -}}
{{/*
Return the Database database name
*/}}
{{- define "keycloak.databaseName" -}}
{{- if .Values.postgresql.enabled }}
{{- if .Values.global.postgresql }}
{{- if .Values.global.postgresql.auth }}
{{- coalesce .Values.global.postgresql.auth.database .Values.postgresql.auth.database -}}
{{- else -}}
{{- .Values.postgresql.auth.database -}}
{{- end -}}
{{- else -}}
{{- .Values.postgresql.auth.database -}}
{{- end -}}
{{- else -}}
{{- tpl .Values.externalDatabase.database $ -}}
{{- end -}}
{{- end -}}
{{/*
Return the Database port
*/}}
{{- define "keycloak.databaseSchema" -}}
{{- ternary "public" (tpl (.Values.externalDatabase.schema | toString) $) .Values.postgresql.enabled | quote -}}
{{- end -}}
{{/*
Return the Database user
*/}}
{{- define "keycloak.databaseUser" -}}
{{- if .Values.postgresql.enabled -}}
{{- if .Values.global.postgresql -}}
{{- if .Values.global.postgresql.auth -}}
{{- coalesce .Values.global.postgresql.auth.username .Values.postgresql.auth.username -}}
{{- else -}}
{{- .Values.postgresql.auth.username -}}
{{- end -}}
{{- else -}}
{{- .Values.postgresql.auth.username -}}
{{- end -}}
{{- else -}}
{{- tpl .Values.externalDatabase.user $ -}}
{{- end -}}
{{- end -}}
{{/*
Return the Database encrypted password
*/}}
{{- define "keycloak.databaseSecretName" -}}
{{- if .Values.postgresql.enabled -}}
{{- if .Values.global.postgresql -}}
{{- if .Values.global.postgresql.auth -}}
{{- if .Values.global.postgresql.auth.existingSecret -}}
{{- tpl .Values.global.postgresql.auth.existingSecret $ -}}
{{- else -}}
{{- default (include "keycloak.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecret $) -}}
{{- end -}}
{{- else -}}
{{- default (include "keycloak.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecret $) -}}
{{- end -}}
{{- else -}}
{{- default (include "keycloak.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecret $) -}}
{{- end -}}
{{- else -}}
{{- default (printf "%s-externaldb" (include "common.names.fullname" .)) (tpl .Values.externalDatabase.existingSecret $) -}}
{{- end -}}
{{- end -}}
{{/*
Add environment variables to configure database values
*/}}
{{- define "keycloak.databaseSecretPasswordKey" -}}
{{- if .Values.postgresql.enabled -}}
{{- printf "%s" (.Values.postgresql.auth.secretKeys.userPasswordKey | default "password") -}}
{{- else -}}
{{- if .Values.externalDatabase.existingSecret -}}
{{- if .Values.externalDatabase.existingSecretPasswordKey -}}
{{- printf "%s" .Values.externalDatabase.existingSecretPasswordKey -}}
{{- else -}}
{{- print "db-password" -}}
{{- end -}}
{{- else -}}
{{- print "db-password" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "keycloak.databaseSecretHostKey" -}}
{{- if .Values.externalDatabase.existingSecretHostKey -}}
{{- printf "%s" .Values.externalDatabase.existingSecretHostKey -}}
{{- else -}}
{{- print "db-host" -}}
{{- end -}}
{{- end -}}
{{- define "keycloak.databaseSecretPortKey" -}}
{{- if .Values.externalDatabase.existingSecretPortKey -}}
{{- printf "%s" .Values.externalDatabase.existingSecretPortKey -}}
{{- else -}}
{{- print "db-port" -}}
{{- end -}}
{{- end -}}
{{- define "keycloak.databaseSecretUserKey" -}}
{{- if .Values.externalDatabase.existingSecretUserKey -}}
{{- printf "%s" .Values.externalDatabase.existingSecretUserKey -}}
{{- else -}}
{{- print "db-user" -}}
{{- end -}}
{{- end -}}
{{- define "keycloak.databaseSecretDatabaseKey" -}}
{{- if .Values.externalDatabase.existingSecretDatabaseKey -}}
{{- printf "%s" .Values.externalDatabase.existingSecretDatabaseKey -}}
{{- else -}}
{{- print "db-database" -}}
{{- end -}}
{{- end -}}
{{/*
Return the Keycloak initdb scripts configmap
*/}}
{{- define "keycloak.initdbScriptsCM" -}}
{{- if .Values.initdbScriptsConfigMap -}}
{{- printf "%s" .Values.initdbScriptsConfigMap -}}
{{- else -}}
{{- printf "%s-init-scripts" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return the secret containing the Keycloak admin password
*/}}
{{- define "keycloak.secretName" -}}
{{- $secretName := .Values.auth.existingSecret -}}
{{- if $secretName -}}
{{- printf "%s" (tpl $secretName $) -}}
{{- else -}}
{{- printf "%s" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Return the secret key that contains the Keycloak admin password
*/}}
{{- define "keycloak.secretKey" -}}
{{- $secretName := .Values.auth.existingSecret -}}
{{- if and $secretName .Values.auth.passwordSecretKey -}}
{{- printf "%s" .Values.auth.passwordSecretKey -}}
{{- else -}}
{{- print "admin-password" -}}
{{- end -}}
{{- end -}}
{{/*
Return the secret containing Keycloak HTTPS/TLS certificates
*/}}
{{- define "keycloak.tlsSecretName" -}}
{{- $secretName := .Values.tls.existingSecret -}}
{{- if $secretName -}}
{{- printf "%s" (tpl $secretName $) -}}
{{- else -}}
{{- printf "%s-crt" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return the secret containing Keycloak HTTPS/TLS keystore and truststore passwords
*/}}
{{- define "keycloak.tlsPasswordsSecretName" -}}
{{- $secretName := .Values.tls.passwordsSecret -}}
{{- if $secretName -}}
{{- printf "%s" (tpl $secretName $) -}}
{{- else -}}
{{- printf "%s-tls-passwords" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Return the secret containing Keycloak SPI TLS certificates
*/}}
{{- define "keycloak.spiPasswordsSecretName" -}}
{{- $secretName := .Values.spi.passwordsSecret -}}
{{- if $secretName -}}
{{- printf "%s" (tpl $secretName $) -}}
{{- else -}}
{{- printf "%s-spi-passwords" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a TLS secret object should be created
*/}}
{{- define "keycloak.createTlsSecret" -}}
{{- if and .Values.tls.enabled .Values.tls.autoGenerated (not .Values.tls.existingSecret) }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Compile all warnings into a single message.
*/}}
{{- define "keycloak.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "keycloak.validateValues.database" .) -}}
{{- $messages := append $messages (include "keycloak.validateValues.tls" .) -}}
{{- $messages := append $messages (include "keycloak.validateValues.production" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
{{- end -}}
{{- end -}}
{{/* Validate values of Keycloak - database */}}
{{- define "keycloak.validateValues.database" -}}
{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.host) (and (not .Values.externalDatabase.password) (not .Values.externalDatabase.existingSecret)) -}}
keycloak: database
You disabled the PostgreSQL sub-chart but did not specify an external PostgreSQL host.
Either deploy the PostgreSQL sub-chart (--set postgresql.enabled=true),
or set a value for the external database host (--set externalDatabase.host=FOO)
and set a value for the external database password (--set externalDatabase.password=BAR)
or existing secret (--set externalDatabase.existingSecret=BAR).
{{- end -}}
{{- end -}}
{{/* Validate values of Keycloak - TLS enabled */}}
{{- define "keycloak.validateValues.tls" -}}
{{- if and .Values.tls.enabled (not .Values.tls.autoGenerated) (not .Values.tls.existingSecret) }}
keycloak: tls.enabled
In order to enable TLS, you also need to provide
an existing secret containing the Keystore and Truststore or
enable auto-generated certificates.
{{- end -}}
{{- end -}}
{{/* Validate values of Keycloak - Production mode enabled */}}
{{- define "keycloak.validateValues.production" -}}
{{- if and .Values.production (not .Values.tls.enabled) (not (eq .Values.proxy "edge")) (empty .Values.proxyHeaders) -}}
keycloak: production
In order to enable Production mode, you also need to enable HTTPS/TLS
using the value 'tls.enabled' and providing an existing secret containing the Keystore and Trustore.
{{- end -}}
{{- end -}}

57
charts/keycloak/templates/admin-ingress.yaml Normal file
View File

@@ -0,0 +1,57 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.adminIngress.enabled }}
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ include "common.names.fullname" . }}-admin
namespace: {{ include "common.names.namespace" . | quote }}
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.adminIngress.labels .Values.commonLabels ) "context" . ) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if or .Values.adminIngress.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.adminIngress.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.adminIngress.ingressClassName }}
ingressClassName: {{ include "common.tplvalues.render" ( dict "value" .Values.adminIngress.ingressClassName "context" $ ) | quote }}
{{- end }}
rules:
{{- if .Values.adminIngress.hostname }}
- host: {{ (tpl .Values.adminIngress.hostname .) | quote }}
http:
paths:
{{- if .Values.adminIngress.extraPaths }}
{{- toYaml .Values.adminIngress.extraPaths | nindent 10 }}
{{- end }}
- path: {{ include "common.tplvalues.render" ( dict "value" .Values.adminIngress.path "context" $) }}
pathType: {{ .Values.adminIngress.pathType }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" .Values.adminIngress.servicePort "context" $) | nindent 14 }}
{{- end }}
{{- range .Values.adminIngress.extraHosts }}
- host: {{ (tpl .name $) }}
http:
paths:
- path: {{ default "/" .path }}
pathType: {{ default "ImplementationSpecific" .pathType }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" $.Values.adminIngress.servicePort "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.adminIngress.extraRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.adminIngress.extraRules "context" $) | nindent 4 }}
{{- end }}
{{- if or (and .Values.adminIngress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.adminIngress.annotations )) .Values.adminIngress.selfSigned .Values.adminIngress.secrets )) .Values.adminIngress.extraTls }}
tls:
{{- if and .Values.adminIngress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.adminIngress.annotations )) .Values.adminIngress.secrets .Values.adminIngress.selfSigned) }}
- hosts:
- {{ (tpl .Values.adminIngress.hostname .) | quote }}
secretName: {{ printf "%s-tls" (tpl .Values.adminIngress.hostname .) }}
{{- end }}
{{- if .Values.adminIngress.extraTls }}
{{- include "common.tplvalues.render" (dict "value" .Values.adminIngress.extraTls "context" $) | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

109
charts/keycloak/templates/configmap-env-vars.yaml Normal file
View File

@@ -0,0 +1,109 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-env-vars" (include "common.names.fullname" .) }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
KC_BOOTSTRAP_ADMIN_USERNAME: {{ .Values.auth.adminUser | quote }}
KEYCLOAK_HTTP_PORT: {{ .Values.containerPorts.http | quote }}
{{- if and .Values.proxy (empty .Values.proxyHeaders) }}
KEYCLOAK_PROXY_HEADERS: {{ ternary "" "xforwarded" (eq .Values.proxy "passthrough") | quote }}
{{- else }}
KEYCLOAK_PROXY_HEADERS: {{ .Values.proxyHeaders | quote }}
{{- end }}
{{- if and .Values.adminIngress.enabled .Values.adminIngress.hostname }}
KEYCLOAK_HOSTNAME_ADMIN: |-
{{ ternary "https://" "http://" ( or .Values.adminIngress.tls (eq .Values.proxy "edge") (not (empty .Values.proxyHeaders)) ) -}} {{- include "common.tplvalues.render" (dict "value" .Values.adminIngress.hostname "context" $) -}}
{{- if eq .Values.adminIngress.controller "default" }}
{{- include "common.tplvalues.render" (dict "value" .Values.adminIngress.path "context" $) }}
{{- else if eq .Values.adminIngress.controller "gce" }}
{{- $path := .Values.adminIngress.path -}}
{{- if hasSuffix "*" $path -}}
{{- $path = trimSuffix "*" $path -}}
{{- end -}}
{{- include "common.tplvalues.render" (dict "value" $path "context" $) }}
{{- end }}
{{- end }}
{{- if and .Values.ingress.enabled .Values.ingress.hostname }}
KEYCLOAK_HOSTNAME: |-
{{ ternary "https://" "http://" ( or .Values.ingress.tls (eq .Values.proxy "edge") (not (empty .Values.proxyHeaders)) ) -}} {{- include "common.tplvalues.render" (dict "value" .Values.ingress.hostname "context" $) -}}
{{- if eq .Values.ingress.controller "default" }}
{{- include "common.tplvalues.render" (dict "value" .Values.ingress.path "context" $) }}
{{- else if eq .Values.ingress.controller "gce" }}
{{- $path := .Values.ingress.path -}}
{{- if hasSuffix "*" $path -}}
{{- $path = trimSuffix "*" $path -}}
{{- end -}}
{{- include "common.tplvalues.render" (dict "value" $path "context" $) }}
{{- end }}
{{- end }}
{{- if .Values.ingress.enabled }}
KEYCLOAK_HOSTNAME_STRICT: {{ ternary "true" "false" .Values.ingress.hostnameStrict | quote }}
{{- end }}
KEYCLOAK_ENABLE_STATISTICS: {{ ternary "true" "false" .Values.metrics.enabled | quote }}
{{- if not .Values.externalDatabase.existingSecretHostKey }}
KEYCLOAK_DATABASE_HOST: {{ include "keycloak.databaseHost" . | quote }}
{{- end }}
{{- if not .Values.externalDatabase.existingSecretPortKey }}
KEYCLOAK_DATABASE_PORT: {{ include "keycloak.databasePort" . }}
{{- end }}
{{- if not .Values.externalDatabase.existingSecretDatabaseKey }}
KEYCLOAK_DATABASE_NAME: {{ include "keycloak.databaseName" . | quote }}
{{- end }}
KEYCLOAK_DATABASE_SCHEMA: {{ include "keycloak.databaseSchema" . }}
{{- if not .Values.externalDatabase.existingSecretUserKey }}
KEYCLOAK_DATABASE_USER: {{ include "keycloak.databaseUser" . | quote }}
{{- end }}
KEYCLOAK_PRODUCTION: {{ ternary "true" "false" .Values.production | quote }}
KEYCLOAK_ENABLE_HTTPS: {{ ternary "true" "false" .Values.tls.enabled | quote }}
{{- if .Values.customCaExistingSecret }}
KC_TRUSTSTORE_PATHS: "/opt/bitnami/keycloak/custom-ca"
{{- end }}
{{- if .Values.tls.enabled }}
KEYCLOAK_HTTPS_PORT: {{ .Values.containerPorts.https | quote }}
KEYCLOAK_HTTPS_USE_PEM: {{ ternary "true" "false" (or .Values.tls.usePem .Values.tls.autoGenerated) | quote }}
{{- if or .Values.tls.usePem .Values.tls.autoGenerated }}
KEYCLOAK_HTTPS_CERTIFICATE_FILE: "/opt/bitnami/keycloak/certs/tls.crt"
KEYCLOAK_HTTPS_CERTIFICATE_KEY_FILE: "/opt/bitnami/keycloak/certs/tls.key"
{{- else }}
KEYCLOAK_HTTPS_KEY_STORE_FILE: {{ printf "/opt/bitnami/keycloak/certs/%s" .Values.tls.keystoreFilename | quote }}
KEYCLOAK_HTTPS_TRUST_STORE_FILE: {{ printf "/opt/bitnami/keycloak/certs/%s" .Values.tls.truststoreFilename | quote }}
{{- end }}
{{- end }}
{{- if .Values.spi.existingSecret }}
{{- if .Values.spi.hostnameVerificationPolicy }}
KEYCLOAK_SPI_TRUSTSTORE_FILE_HOSTNAME_VERIFICATION_POLICY: {{ .Values.spi.hostnameVerificationPolicy | quote }}
{{- end }}
KEYCLOAK_SPI_TRUSTSTORE_FILE: {{ printf "/opt/bitnami/keycloak/spi-certs/%s" .Values.spi.truststoreFilename }}
{{- end }}
{{- if .Values.cache.enabled }}
KC_CACHE_TYPE: "ispn"
{{- if .Values.cache.stack }}
KC_CACHE_STACK: {{ .Values.cache.stack | quote }}
{{- end }}
{{- if .Values.cache.configFile }}
KC_CACHE_CONFIG_FILE: {{ .Values.cache.configFile | quote }}
{{- end }}
{{- if .Values.cache.useHeadlessServiceWithAppVersion }}
JAVA_OPTS_APPEND: {{ printf "-Djgroups.dns.query=%s-headless-ispn-%s.%s.svc.%s" (include "common.names.fullname" .) (replace "." "-" .Chart.AppVersion) (include "common.names.namespace" .) .Values.clusterDomain | quote }}
{{- else }}
JAVA_OPTS_APPEND: {{ printf "-Djgroups.dns.query=%s-headless.%s.svc.%s" (include "common.names.fullname" .) (include "common.names.namespace" .) .Values.clusterDomain | quote }}
{{- end }}
{{- else }}
KC_CACHE_TYPE: "local"
{{- end }}
{{- if .Values.logging }}
KEYCLOAK_LOG_OUTPUT: {{ .Values.logging.output | quote }}
KEYCLOAK_LOG_LEVEL: {{ .Values.logging.level | quote }}
{{- end }}

20
charts/keycloak/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if (include "keycloak.createConfigmap" .) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-configuration" (include "common.names.fullname" .) }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
keycloak.conf: |-
{{- .Values.configuration | nindent 4 }}
{{- end }}

9
charts/keycloak/templates/extra-list.yaml Normal file
View File

@@ -0,0 +1,9 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- range .Values.extraDeploy }}
---
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
{{- end }}

43
charts/keycloak/templates/headless-service-ispn.yaml Normal file
View File

@@ -0,0 +1,43 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.cache.enabled .Values.cache.useHeadlessServiceWithAppVersion }}
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-headless-ispn-%s" (include "common.names.fullname" .) (replace "." "-" .Chart.AppVersion) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if or .Values.commonAnnotations .Values.service.headless.annotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.headless.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
clusterIP: None
ports:
- name: http
port: {{ .Values.containerPorts.http }}
protocol: TCP
targetPort: http
{{- if .Values.tls.enabled }}
- name: https
port: {{ .Values.containerPorts.https }}
protocol: TCP
targetPort: https
{{- end }}
{{- if .Values.service.extraHeadlessPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.service.extraHeadlessPorts "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.service.headless.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.service.headless.extraPorts "context" $) | nindent 4 }}
{{- end }}
publishNotReadyAddresses: true
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
app.kubernetes.io/app-version: {{ .Chart.AppVersion }}
{{- end }}

40
charts/keycloak/templates/headless-service.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if or .Values.commonAnnotations .Values.service.headless.annotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.headless.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
clusterIP: None
ports:
- name: http
port: {{ .Values.containerPorts.http }}
protocol: TCP
targetPort: http
{{- if .Values.tls.enabled }}
- name: https
port: {{ .Values.containerPorts.https }}
protocol: TCP
targetPort: https
{{- end }}
{{- if .Values.service.extraHeadlessPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.service.extraHeadlessPorts "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.service.headless.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.service.headless.extraPorts "context" $) | nindent 4 }}
{{- end }}
publishNotReadyAddresses: true
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak

58
charts/keycloak/templates/hpa.yaml Normal file
View File

@@ -0,0 +1,58 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.autoscaling.enabled }}
apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
scaleTargetRef:
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
kind: StatefulSet
name: {{ template "common.names.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPU }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetCPU }}
{{- end }}
{{- if .Values.autoscaling.targetMemory }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ .Values.autoscaling.targetMemory }}
{{- end }}
{{- if or .Values.autoscaling.behavior.scaleDown.policies .Values.autoscaling.behavior.scaleUp.policies }}
behavior:
{{- if .Values.autoscaling.behavior.scaleDown.policies }}
scaleDown:
stabilizationWindowSeconds: {{ .Values.autoscaling.behavior.scaleDown.stabilizationWindowSeconds }}
selectPolicy: {{ .Values.autoscaling.behavior.scaleDown.selectPolicy }}
policies:
{{- toYaml .Values.autoscaling.behavior.scaleDown.policies | nindent 8 }}
{{- end }}
{{- if .Values.autoscaling.behavior.scaleUp.policies }}
scaleUp:
stabilizationWindowSeconds: {{ .Values.autoscaling.behavior.scaleUp.stabilizationWindowSeconds }}
selectPolicy: {{ .Values.autoscaling.behavior.scaleUp.selectPolicy }}
policies:
{{- toYaml .Values.autoscaling.behavior.scaleUp.policies | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

57
charts/keycloak/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,57 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.ingress.enabled }}
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.labels .Values.commonLabels ) "context" . ) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if or .Values.ingress.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.ingressClassName }}
ingressClassName: {{ include "common.tplvalues.render" ( dict "value" .Values.ingress.ingressClassName "context" $ ) | quote }}
{{- end }}
rules:
{{- if .Values.ingress.hostname }}
- host: {{ (tpl .Values.ingress.hostname .) | quote }}
http:
paths:
{{- if .Values.ingress.extraPaths }}
{{- toYaml .Values.ingress.extraPaths | nindent 10 }}
{{- end }}
- path: {{ include "common.tplvalues.render" ( dict "value" .Values.ingress.path "context" $) }}
pathType: {{ .Values.ingress.pathType }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" .Values.ingress.servicePort "context" $) | nindent 14 }}
{{- end }}
{{- range .Values.ingress.extraHosts }}
- host: {{ (tpl .name $) }}
http:
paths:
- path: {{ default "/" .path }}
pathType: {{ default "ImplementationSpecific" .pathType }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" $.Values.ingress.servicePort "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.ingress.extraRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }}
{{- end }}
{{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned .Values.ingress.secrets )) .Values.ingress.extraTls }}
tls:
{{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.secrets .Values.ingress.selfSigned) }}
- hosts:
- {{ (tpl .Values.ingress.hostname .) | quote }}
secretName: {{ printf "%s-tls" (tpl .Values.ingress.hostname .) }}
{{- end }}
{{- if .Values.ingress.extraTls }}
{{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

19
charts/keycloak/templates/init-scripts-configmap.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.initdbScripts (not .Values.initdbScriptsConfigMap) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-init-scripts" (include "common.names.fullname" .) }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
{{- include "common.tplvalues.render" (dict "value" .Values.initdbScripts "context" .) | nindent 2 }}
{{ end }}

23
charts/keycloak/templates/keycloak-config-cli-configmap.yaml Normal file
View File

@@ -0,0 +1,23 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if (include "keycloak.keycloakConfigCli.createConfigmap" .) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "keycloak.keycloakConfigCli.configmapName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak-config-cli
data:
{{- range $fileName, $fileContent := .Values.keycloakConfigCli.configuration }}
{{- if $fileContent }}
{{ $fileName }}: |
{{- include "common.tplvalues.render" (dict "value" $fileContent "context" $) | nindent 4 }}
{{- else }}
{{- ($.Files.Glob $fileName).AsConfig | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}

142
charts/keycloak/templates/keycloak-config-cli-job.yaml Normal file
View File

@@ -0,0 +1,142 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.keycloakConfigCli.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ printf "%s-keycloak-config-cli" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak-config-cli
{{- if or .Values.keycloakConfigCli.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.keycloakConfigCli.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
backoffLimit: {{ .Values.keycloakConfigCli.backoffLimit }}
{{- if .Values.keycloakConfigCli.cleanupAfterFinished.enabled }}
ttlSecondsAfterFinished: {{ .Values.keycloakConfigCli.cleanupAfterFinished.seconds }}
{{- end }}
template:
metadata:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.keycloakConfigCli.podLabels .Values.commonLabels ) "context" . ) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
app.kubernetes.io/component: keycloak-config-cli
annotations:
{{- if (include "keycloak.keycloakConfigCli.createConfigmap" .) }}
checksum/configuration: {{ include (print $.Template.BasePath "/keycloak-config-cli-configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.keycloakConfigCli.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ template "keycloak.serviceAccountName" . }}
{{- include "keycloak.imagePullSecrets" . | nindent 6 }}
restartPolicy: Never
{{- if .Values.keycloakConfigCli.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.keycloakConfigCli.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.keycloakConfigCli.automountServiceAccountToken }}
{{- if .Values.keycloakConfigCli.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.hostAliases "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.keycloakConfigCli.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.keycloakConfigCli.podTolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.podTolerations "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.keycloakConfigCli.initContainers }}
initContainers:
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.initContainers "context" $) | nindent 8 }}
{{- end }}
containers:
- name: keycloak-config-cli
image: {{ template "keycloak.keycloakConfigCli.image" . }}
imagePullPolicy: {{ .Values.keycloakConfigCli.image.pullPolicy }}
{{- if .Values.keycloakConfigCli.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.command "context" $) | nindent 12 }}
{{- else }}
command:
- java
- -jar
- /opt/bitnami/keycloak-config-cli/keycloak-config-cli.jar
{{- end }}
{{- if .Values.keycloakConfigCli.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.args "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.keycloakConfigCli.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.keycloakConfigCli.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
env:
- name: KEYCLOAK_URL
value: {{ printf "http://%s-headless:%d%s" (include "common.names.fullname" .) (.Values.containerPorts.http | int) (.Values.httpRelativePath) }}
- name: KEYCLOAK_USER
value: {{ .Values.auth.adminUser | quote }}
- name: KEYCLOAK_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "keycloak.secretName" . }}
key: {{ include "keycloak.secretKey" . }}
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap }}
- name: IMPORT_FILES_LOCATIONS
value: /config/*
{{- end }}
- name: KEYCLOAK_AVAILABILITYCHECK_ENABLED
value: {{ .Values.keycloakConfigCli.availabilityCheck.enabled | quote }}
{{- if and .Values.keycloakConfigCli.availabilityCheck.enabled .Values.keycloakConfigCli.availabilityCheck.timeout }}
- name: KEYCLOAK_AVAILABILITYCHECK_TIMEOUT
value: {{ .Values.keycloakConfigCli.availabilityCheck.timeout }}
{{- end }}
{{- if .Values.keycloakConfigCli.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
{{- if or .Values.keycloakConfigCli.extraEnvVarsCM .Values.keycloakConfigCli.extraEnvVarsSecret }}
envFrom:
{{- if .Values.keycloakConfigCli.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.keycloakConfigCli.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- end }}
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap .Values.keycloakConfigCli.extraVolumeMounts }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap }}
- name: config-volume
mountPath: /config
{{- end }}
{{- if .Values.keycloakConfigCli.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.keycloakConfigCli.resources }}
resources: {{- toYaml .Values.keycloakConfigCli.resources | nindent 12 }}
{{- else if ne .Values.keycloakConfigCli.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.keycloakConfigCli.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if .Values.keycloakConfigCli.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.keycloakConfigCli.sidecars "context" $) | nindent 8 }}
{{- end }}
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap .Values.keycloakConfigCli.extraVolumes }}
volumes:
- name: empty-dir
emptyDir: {}
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap }}
- name: config-volume
configMap:
name: {{ include "keycloak.keycloakConfigCli.configmapName" . }}
{{- end }}
{{- if .Values.keycloakConfigCli.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

41
charts/keycloak/templates/metrics-service.yaml Normal file
View File

@@ -0,0 +1,41 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-metrics" (include "common.names.fullname" .) }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: metrics
{{- if or .Values.metrics.service.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
ports:
- name: metrics
port: {{ .Values.metrics.service.ports.metrics }}
protocol: TCP
targetPort: {{ .Values.containerPorts.metrics }}
- name: http
port: {{ .Values.metrics.service.ports.http }}
protocol: TCP
targetPort: {{ .Values.containerPorts.http }}
{{- if .Values.tls.enabled }}
- name: https
port: {{ .Values.metrics.service.ports.https }}
protocol: TCP
targetPort: {{ .Values.containerPorts.https }}
{{- end }}
{{- if .Values.metrics.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- end }}

102
charts/keycloak/templates/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,102 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: keycloak
policyTypes:
- Ingress
- Egress
{{- if .Values.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
- ports:
# Allow dns resolution
- port: 53
protocol: UDP
- port: 53
protocol: TCP
{{- range $port := .Values.networkPolicy.kubeAPIServerPorts }}
- port: {{ $port }}
{{- end }}
# Allow connection to PostgreSQL
- ports:
- port: {{ include "keycloak.databasePort" . | trimAll "\"" | int }}
{{- if .Values.postgresql.enabled }}
to:
- podSelector:
matchLabels:
app.kubernetes.io/name: postgresql
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
# Allow connection to other keycloak nodes
- ports:
{{- /* Constant in code: https://github.com/keycloak/keycloak/blob/ce8e925c1ad9bf7a3180d1496e181aeea0ab5f8a/operator/src/main/java/org/keycloak/operator/Constants.java#L60 */}}
- port: 7800
- port: {{ .Values.containerPorts.http }}
{{- if .Values.tls.enabled }}
- port: {{ .Values.containerPorts.https }}
{{- end }}
to:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
app.kubernetes.io/component: keycloak
{{- if .Values.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
- ports:
{{- /* Constant in code: https://github.com/keycloak/keycloak/blob/ce8e925c1ad9bf7a3180d1496e181aeea0ab5f8a/operator/src/main/java/org/keycloak/operator/Constants.java#L60 */}}
- port: 7800
{{- if and (.Values.metrics.enabled) (not (eq (.Values.containerPorts.http | int) (.Values.containerPorts.metrics | int) )) }}
- port: {{ .Values.containerPorts.metrics }} # metrics and health
{{- end }}
- port: {{ .Values.containerPorts.http }}
{{- if .Values.tls.enabled }}
- port: {{ .Values.containerPorts.https }}
{{- end }}
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
- podSelector:
matchLabels:
{{ template "common.names.fullname" . }}-client: "true"
{{- if .Values.networkPolicy.ingressNSMatchLabels }}
- namespaceSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- $extraIngress := coalesce .Values.networkPolicy.additionalRules .Values.networkPolicy.extraIngress }}
{{- if $extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" $extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

28
charts/keycloak/templates/pdb.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.pdb.create }}
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.pdb.minAvailable }}
minAvailable: {{ .Values.pdb.minAvailable }}
{{- end }}
{{- if or .Values.pdb.maxUnavailable ( not .Values.pdb.minAvailable ) }}
maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: keycloak
{{- end }}

20
charts/keycloak/templates/prometheusrule.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled .Values.metrics.prometheusRule.groups}}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ default (include "common.names.namespace" .) .Values.metrics.prometheusRule.namespace }}
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.prometheusRule.labels .Values.commonLabels ) "context" . ) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
groups: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.prometheusRule.groups "context" .) | nindent 4 }}
{{- end }}

28
charts/keycloak/templates/role.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
kind: Role
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
{{- if .Values.rbac.rules }}
{{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }}
{{- end }}
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
{{- end }}

25
charts/keycloak/templates/rolebinding.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
kind: RoleBinding
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "common.names.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "keycloak.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
{{- end }}

19
charts/keycloak/templates/secret-external-db.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecret) (not .Values.postgresql.existingSecret) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-externaldb" (include "common.names.fullname" .) }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) | nindent 4 }}
{{- if or .Values.externalDatabase.annotations .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.merge" (dict "values" (list .Values.externalDatabase.annotations .Values.commonAnnotations) "context" $) | nindent 4 }}
{{- end }}
type: Opaque
data:
db-password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s-externaldb" (include "common.names.fullname" .)) "key" "db-password" "length" 10 "providedValues" (list "externalDatabase.password") "context" $) }}
{{- end }}

20
charts/keycloak/templates/secrets.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if not .Values.auth.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if or .Values.auth.annotations .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.merge" (dict "values" (list .Values.auth.annotations .Values.commonAnnotations) "context" $) | nindent 4 }}
{{- end }}
type: Opaque
data:
admin-password: {{ include "common.secrets.passwords.manage" (dict "secret" (printf "%s" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-") "key" "admin-password" "length" 10 "providedValues" (list "auth.adminPassword") "context" $) }}
{{- end }}

65
charts/keycloak/templates/service.yaml Normal file
View File

@@ -0,0 +1,65 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if or .Values.service.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }}
clusterIP: {{ .Values.service.clusterIP }}
{{- end }}
{{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }}
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerSourceRanges)) }}
loadBalancerSourceRanges: {{ .Values.service.loadBalancerSourceRanges }}
{{- end }}
{{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP)) }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- if .Values.service.sessionAffinity }}
sessionAffinity: {{ .Values.service.sessionAffinity }}
{{- end }}
{{- if .Values.service.sessionAffinityConfig }}
sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }}
{{- end }}
ports:
{{- if .Values.service.http.enabled }}
- name: http
port: {{ coalesce .Values.service.ports.http .Values.service.port }}
protocol: TCP
targetPort: http
{{- if (and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.http))) }}
nodePort: {{ .Values.service.nodePorts.http }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: https
port: {{ coalesce .Values.service.ports.https .Values.service.httpsPort }}
protocol: TCP
targetPort: https
{{- if (and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.https))) }}
nodePort: {{ .Values.service.nodePorts.https }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- end }}
{{- if .Values.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak

22
charts/keycloak/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "keycloak.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.serviceAccount.extraLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.serviceAccount.extraLabels "context" $) | nindent 4 }}
{{- end }}
{{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}

58
charts/keycloak/templates/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,58 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ default (include "common.names.namespace" .) .Values.metrics.serviceMonitor.namespace }}
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.metrics.serviceMonitor.jobLabel }}
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
{{- end }}
endpoints:
{{- $defaultEndpoint := pick .Values.metrics.serviceMonitor "port" "scheme" "tlsConfig" "interval" "scrapeTimeout" "relabelings" "metricRelabelings" "honorLabels" }}
{{- $endpoints := ternary (.Values.metrics.serviceMonitor.endpoints) (list (dict "path" .Values.metrics.serviceMonitor.path)) (empty .Values.metrics.serviceMonitor.path) }}
{{- range $endpoints }}
{{- $endpoint := merge . $defaultEndpoint }}
- port: {{ $endpoint.port | quote }}
scheme: {{ $endpoint.scheme | quote }}
{{- if $endpoint.tlsConfig }}
tlsConfig: {{- include "common.tplvalues.render" ( dict "value" $endpoint.tlsConfig "context" $) | nindent 8 }}
{{- end }}
path: {{ include "common.tplvalues.render" ( dict "value" $endpoint.path "context" $) }}
{{- if $endpoint.interval }}
interval: {{ $endpoint.interval }}
{{- end }}
{{- if $endpoint.scrapeTimeout }}
scrapeTimeout: {{ $endpoint.scrapeTimeout }}
{{- end }}
{{- if $endpoint.relabelings }}
relabelings: {{- include "common.tplvalues.render" ( dict "value" $endpoint.relabelings "context" $) | nindent 6 }}
{{- end }}
{{- if $endpoint.metricRelabelings }}
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" $endpoint.metricRelabelings "context" $) | nindent 6 }}
{{- end }}
{{- if $endpoint.honorLabels }}
honorLabels: {{ $endpoint.honorLabels }}
{{- end }}
{{- end }}
namespaceSelector:
matchNames:
- {{ include "common.names.namespace" . | quote }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
{{- if .Values.metrics.serviceMonitor.selector }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
{{- end }}
app.kubernetes.io/component: metrics
{{- end }}

449
charts/keycloak/templates/statefulset.yaml Normal file
View File

@@ -0,0 +1,449 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: {{ template "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if or .Values.statefulsetAnnotations .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.merge" ( dict "values" ( list .Values.statefulsetAnnotations .Values.commonAnnotations ) "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimitCount }}
podManagementPolicy: {{ .Values.podManagementPolicy }}
serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
updateStrategy:
{{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $ ) | nindent 4 }}
{{- if .Values.minReadySeconds }}
minReadySeconds: {{ .Values.minReadySeconds }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
app.kubernetes.io/component: keycloak
template:
metadata:
annotations:
checksum/configmap-env-vars: {{ include (print $.Template.BasePath "/configmap-env-vars.yaml") . | sha256sum }}
{{- if not .Values.auth.existingSecret }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- end }}
{{- if (include "keycloak.createConfigmap" .) }}
checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
{{- end }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
app.kubernetes.io/component: keycloak
app.kubernetes.io/app-version: {{ .Chart.AppVersion }}
spec:
serviceAccountName: {{ template "keycloak.serviceAccountName" . }}
{{- include "keycloak.imagePullSecrets" . | nindent 6 }}
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
{{- if .Values.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.topologySpreadConstraints }}
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName | quote }}
{{- end }}
{{- if .Values.schedulerName }}
schedulerName: {{ .Values.schedulerName }}
{{- end }}
{{- if .Values.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.dnsPolicy }}
dnsPolicy: {{ .Values.dnsPolicy }}
{{- end }}
{{- if .Values.dnsConfig }}
dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dnsConfig "context" .) | nindent 8 }}
{{- end }}
enableServiceLinks: {{ .Values.enableServiceLinks }}
{{- if .Values.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- end }}
{{- if or .Values.enableDefaultInitContainers .Values.initContainers }}
initContainers:
{{- if .Values.enableDefaultInitContainers }}
- name: prepare-write-dirs
image: {{ template "keycloak.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- /bin/bash
args:
- -ec
- |
. /opt/bitnami/scripts/liblog.sh
info "Copying writable dirs to empty dir"
# In order to not break the application functionality we need to make some
# directories writable, so we need to copy it to an empty dir volume
cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/lib/quarkus /emptydir/app-quarkus-dir
cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/data /emptydir/app-data-dir
cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/providers /emptydir/app-providers-dir
cp -r --preserve=mode,timestamps /opt/bitnami/keycloak/themes /emptydir/app-themes-dir
info "Copy operation completed"
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- else if ne .Values.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /emptydir
{{- end }}
{{- if .Values.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
{{- end }}
{{- end }}
containers:
- name: keycloak
image: {{ template "keycloak.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
{{- else if .Values.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
{{- else if .Values.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }}
{{- end }}
env:
- name: KUBERNETES_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.image.debug | quote }}
{{- if .Values.usePasswordFiles }}
- name: KC_BOOTSTRAP_ADMIN_PASSWORD_FILE
value: {{ printf "/opt/bitnami/keycloak/secrets/%s" (include "keycloak.secretKey" .) }}
- name: KEYCLOAK_DATABASE_PASSWORD_FILE
value: {{ printf "/opt/bitnami/keycloak/secrets/db-%s" (include "keycloak.databaseSecretPasswordKey" .) }}
{{- if .Values.externalDatabase.existingSecretHostKey }}
- name: KEYCLOAK_DATABASE_HOST_FILE
value: {{ printf "/opt/bitnami/keycloak/secrets/db-%s" (include "keycloak.databaseSecretHostKey" .) }}
{{- end }}
{{- if .Values.externalDatabase.existingSecretPortKey }}
- name: KEYCLOAK_DATABASE_PORT_FILE
value: {{ printf "/opt/bitnami/keycloak/secrets/db-%s" (include "keycloak.databaseSecretPortKey" .) }}
{{- end }}
{{- if .Values.externalDatabase.existingSecretUserKey }}
- name: KEYCLOAK_DATABASE_USER_FILE
value: {{ printf "/opt/bitnami/keycloak/secrets/db-%s" (include "keycloak.databaseSecretUserKey" .) }}
{{- end }}
{{- if .Values.externalDatabase.existingSecretDatabaseKey }}
- name: KEYCLOAK_DATABASE_NAME_FILE
value: {{ printf "/opt/bitnami/keycloak/secrets/db-%s" (include "keycloak.databaseSecretDatabaseKey" .) }}
{{- end }}
{{- if and .Values.tls.enabled (or .Values.tls.keystorePassword .Values.tls.passwordsSecret) }}
- name: KEYCLOAK_HTTPS_KEY_STORE_PASSWORD_FILE
value: "/opt/bitnami/keycloak/secrets/tls-keystore-password"
{{- end }}
{{- if and .Values.tls.enabled (or .Values.tls.truststorePassword .Values.tls.passwordsSecret) }}
- name: KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD_FILE
value: "/opt/bitnami/keycloak/secrets/tls-truststore-password"
{{- end }}
{{- if and .Values.spi.existingSecret (or .Values.spi.truststorePassword .Values.spi.passwordsSecret) }}
- name: KEYCLOAK_SPI_TRUSTSTORE_PASSWORD_FILE
value: "/opt/bitnami/keycloak/secrets/spi-truststore-password"
{{- end }}
{{- else }}
- name: KC_BOOTSTRAP_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "keycloak.secretName" . }}
key: {{ include "keycloak.secretKey" . }}
- name: KEYCLOAK_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "keycloak.databaseSecretName" . }}
key: {{ include "keycloak.databaseSecretPasswordKey" . }}
{{- if .Values.externalDatabase.existingSecretHostKey }}
- name: KEYCLOAK_DATABASE_HOST
valueFrom:
secretKeyRef:
name: {{ include "keycloak.databaseSecretName" . }}
key: {{ include "keycloak.databaseSecretHostKey" . }}
{{- end }}
{{- if .Values.externalDatabase.existingSecretPortKey }}
- name: KEYCLOAK_DATABASE_PORT
valueFrom:
secretKeyRef:
name: {{ include "keycloak.databaseSecretName" . }}
key: {{ include "keycloak.databaseSecretPortKey" . }}
{{- end }}
{{- if .Values.externalDatabase.existingSecretUserKey }}
- name: KEYCLOAK_DATABASE_USER
valueFrom:
secretKeyRef:
name: {{ include "keycloak.databaseSecretName" . }}
key: {{ include "keycloak.databaseSecretUserKey" . }}
{{- end }}
{{- if .Values.externalDatabase.existingSecretDatabaseKey }}
- name: KEYCLOAK_DATABASE_NAME
valueFrom:
secretKeyRef:
name: {{ include "keycloak.databaseSecretName" . }}
key: {{ include "keycloak.databaseSecretDatabaseKey" . }}
{{- end }}
{{- if and .Values.tls.enabled (or .Values.tls.keystorePassword .Values.tls.passwordsSecret) }}
- name: KEYCLOAK_HTTPS_KEY_STORE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "keycloak.tlsPasswordsSecretName" . }}
key: "tls-keystore-password"
{{- end }}
{{- if and .Values.tls.enabled (or .Values.tls.truststorePassword .Values.tls.passwordsSecret) }}
- name: KEYCLOAK_HTTPS_TRUST_STORE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "keycloak.tlsPasswordsSecretName" . }}
key: "tls-truststore-password"
{{- end }}
{{- if and .Values.spi.existingSecret (or .Values.spi.truststorePassword .Values.spi.passwordsSecret) }}
- name: KEYCLOAK_SPI_TRUSTSTORE_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "keycloak.spiPasswordsSecretName" . }}
key: "spi-truststore-password"
{{- end }}
{{- end }}
- name: KEYCLOAK_HTTP_RELATIVE_PATH
value: {{ .Values.httpRelativePath | quote }}
{{- if .Values.extraStartupArgs }}
- name: KEYCLOAK_EXTRA_ARGS
value: {{ .Values.extraStartupArgs | quote }}
{{- end }}
{{- if .Values.adminRealm }}
- name: KC_SPI_ADMIN_REALM
value: "{{ .Values.adminRealm }}"
{{- end }}
{{- if .Values.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
- configMapRef:
name: {{ printf "%s-env-vars" (include "common.names.fullname" .) }}
{{- if .Values.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- else if ne .Values.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.containerPorts.http }}
protocol: TCP
{{- if .Values.tls.enabled }}
- name: https
containerPort: {{ .Values.containerPorts.https }}
protocol: TCP
{{- end }}
{{- if and (.Values.metrics.enabled) (not (eq (.Values.containerPorts.http | int) (.Values.containerPorts.metrics | int) )) }}
- name: metrics
containerPort: {{ .Values.containerPorts.metrics }}
protocol: TCP
{{- end}}
{{- /* Constant in code: https://github.com/keycloak/keycloak/blob/ce8e925c1ad9bf7a3180d1496e181aeea0ab5f8a/operator/src/main/java/org/keycloak/operator/Constants.java#L60 */}}
- name: discovery
containerPort: 7800
{{- if .Values.extraContainerPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraContainerPorts "context" $) | nindent 12 }}
{{- end }}
{{- if not .Values.diagnosticMode.enabled }}
{{- if .Values.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
{{- else if .Values.startupProbe.enabled }}
startupProbe: {{- omit .Values.startupProbe "enabled" | toYaml | nindent 12 }}
httpGet:
path: {{ .Values.httpRelativePath }}
port: http
{{- end }}
{{- if .Values.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.livenessProbe.enabled }}
livenessProbe: {{- omit .Values.livenessProbe "enabled" | toYaml | nindent 12 }}
tcpSocket:
port: http
{{- end }}
{{- if .Values.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
{{- else if .Values.readinessProbe.enabled }}
readinessProbe: {{- omit .Values.readinessProbe "enabled" | toYaml | nindent 12 }}
httpGet:
path: {{ .Values.httpRelativePath }}realms/{{ .Values.adminRealm | default "master" }}
port: http
{{- end }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /bitnami/keycloak
subPath: app-volume-dir
- name: empty-dir
mountPath: /opt/bitnami/keycloak/conf
subPath: app-conf-dir
- name: empty-dir
mountPath: /opt/bitnami/keycloak/lib/quarkus
subPath: app-quarkus-dir
- name: empty-dir
mountPath: /opt/bitnami/keycloak/data
subPath: app-data-dir
- name: empty-dir
mountPath: /opt/bitnami/keycloak/providers
subPath: app-providers-dir
- name: empty-dir
mountPath: /opt/bitnami/keycloak/themes
subPath: app-themes-dir
{{- if .Values.usePasswordFiles }}
- name: keycloak-secrets
mountPath: /opt/bitnami/keycloak/secrets
{{- end }}
{{- if or .Values.configuration .Values.existingConfigmap }}
- name: keycloak-config
mountPath: /bitnami/keycloak/conf/keycloak.conf
subPath: keycloak.conf
{{- end }}
{{- if .Values.tls.enabled }}
- name: certificates
mountPath: /opt/bitnami/keycloak/certs
readOnly: true
{{- end }}
{{- if .Values.customCaExistingSecret }}
- name: custom-ca
mountPath: /opt/bitnami/keycloak/custom-ca
readOnly: true
{{- end }}
{{- if .Values.spi.existingSecret }}
- name: spi-certificates
mountPath: /opt/bitnami/keycloak/spi-certs
readOnly: true
{{- end }}
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
mountPath: /docker-entrypoint-initdb.d
{{- end }}
{{- if .Values.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
{{- if .Values.usePasswordFiles }}
- name: keycloak-secrets
projected:
sources:
- secret:
name: {{ include "keycloak.secretName" . }}
- secret:
name: {{ include "keycloak.databaseSecretName" . }}
items:
- key: {{ include "keycloak.databaseSecretPasswordKey" . }}
path: {{ printf "db-%s" (include "keycloak.databaseSecretPasswordKey" .) }}
{{- if .Values.externalDatabase.existingSecretHostKey }}
- key: {{ include "keycloak.databaseSecretHostKey" . }}
path: {{ printf "db-%s" (include "keycloak.databaseSecretHostKey" .) }}
{{- end }}
{{- if .Values.externalDatabase.existingSecretPortKey }}
- key: {{ include "keycloak.databaseSecretPortKey" . }}
path: {{ printf "db-%s" (include "keycloak.databaseSecretPortKey" .) }}
{{- end }}
{{- if .Values.externalDatabase.existingSecretUserKey }}
- key: {{ include "keycloak.databaseSecretUserKey" . }}
path: {{ printf "db-%s" (include "keycloak.databaseSecretUserKey" .) }}
{{- end }}
{{- if .Values.externalDatabase.existingSecretDatabaseKey }}
- key: {{ include "keycloak.databaseSecretDatabaseKey" . }}
path: {{ printf "db-%s" (include "keycloak.databaseSecretDatabaseKey" .) }}
{{- end }}
{{- if and .Values.tls.enabled (or .Values.tls.keystorePassword .Values.tls.truststorePassword .Values.tls.passwordsSecret) }}
- secret:
name: {{ include "keycloak.tlsPasswordsSecretName" . }}
{{- end }}
{{- if and .Values.spi.existingSecret (or .Values.spi.truststorePassword .Values.spi.passwordsSecret) }}
- secret:
name: {{ include "keycloak.spiPasswordsSecretName" . }}
{{- end }}
{{- end }}
{{- if or .Values.configuration .Values.existingConfigmap }}
- name: keycloak-config
configMap:
name: {{ include "keycloak.configmapName" . }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: certificates
secret:
secretName: {{ include "keycloak.tlsSecretName" . }}
defaultMode: 420
{{- end }}
{{- if .Values.customCaExistingSecret }}
- name: custom-ca
secret:
secretName: {{ .Values.customCaExistingSecret }}
defaultMode: 420
{{- end }}
{{- if .Values.spi.existingSecret }}
- name: spi-certificates
secret:
secretName: {{ .Values.spi.existingSecret }}
defaultMode: 420
{{- end }}
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
configMap:
name: {{ include "keycloak.initdbScriptsCM" . }}
{{- end }}
{{- if .Values.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
{{- end }}

43
charts/keycloak/templates/tls-pass-secret.yaml Normal file
View File

@@ -0,0 +1,43 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and (or .Values.tls.keystorePassword .Values.tls.truststorePassword) (not .Values.tls.passwordsSecret) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-tls-passwords" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if .Values.tls.keystorePassword }}
tls-keystore-password: {{ .Values.tls.keystorePassword | b64enc | quote }}
{{- end }}
{{- if .Values.tls.truststorePassword }}
tls-truststore-password: {{ .Values.tls.truststorePassword | b64enc | quote }}
{{- end }}
---
{{- end }}
{{- if and .Values.spi.truststorePassword (not .Values.spi.passwordsSecret) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-spi-passwords" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if .Values.spi.truststorePassword }}
spi-truststore-password: {{ .Values.spi.truststorePassword | b64enc | quote }}
{{- end }}
{{- end }}

71
charts/keycloak/templates/tls-secret.yaml Normal file
View File

@@ -0,0 +1,71 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.ingress.enabled }}
{{- if .Values.ingress.secrets }}
{{- range .Values.ingress.secrets }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.tplvalues.render" ( dict "value" .name "context" $ ) }}
namespace: {{ include "common.names.namespace" $ | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }}
{{- if $.Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ include "common.tplvalues.render" ( dict "value" .certificate "context" $ ) | b64enc }}
tls.key: {{ include "common.tplvalues.render" ( dict "value" .key "context" $ ) | b64enc }}
---
{{- end }}
{{- end }}
{{- if and .Values.ingress.tls .Values.ingress.selfSigned }}
{{- $secretName := printf "%s-tls" .Values.ingress.hostname }}
{{- $ca := genCA "keycloak-ca" 365 }}
{{- $cert := genSignedCert (tpl .Values.ingress.hostname .) nil (list (tpl .Values.ingress.hostname .)) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
{{- end }}
{{- end }}
{{- if (include "keycloak.createTlsSecret" $) }}
{{- $secretName := printf "%s-crt" (include "common.names.fullname" .) }}
{{- $ca := genCA "keycloak-ca" 365 }}
{{- $releaseNamespace := include "common.names.namespace" . }}
{{- $clusterDomain := .Values.clusterDomain }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- $replicaCount := int .Values.replicaCount }}
{{- $svcName := include "common.names.fullname" . }}
{{- $altNames := list (printf "%s.%s.svc.%s" $svcName $releaseNamespace $clusterDomain) (printf "%s.%s" $svcName $releaseNamespace) $svcName }}
{{- $cert := genSignedCert $svcName nil $altNames 365 $ca }}
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
{{- end }}