marko/HelmChartSammlung
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
20977bbc8664ba449f0b6f16a6fa69d1f2f363a1
HelmChartSammlung/charts/keycloak/templates/keycloak-config-cli-job.yaml
Marko Oldenburg ba8d52be03 Add support for automated TLS certificates in Keycloak 
This update introduces significant enhancements to the Keycloak chart,
particularly regarding TLS certificate management. The changes include:

- Added the capability to automatically generate and manage TLS certificates
  using Cert-Manager or Helm, improving the security posture by using
  self-signed certificates in development scenarios.
- Implemented a dedicated ConfigMap to hold keycloak-config-cli
  configurations and ensured that it is integrated with the job for
  configuration synchronization.
- Enhanced the handling of admin ingress settings and TLS secrets,
  facilitating smoother access and management for multi-host deployments.
- Refactored and reorganized sections to improve readability and maintainability
  of templates, ensuring adherence to best practices in Helm charts.

These improvements aim to streamline deployment, enhance security features,
and simplify the management of certificates, facilitating easier
Kubernetes operations for users.
2025-08-31 09:40:48 +02:00

144 lines
8.2 KiB
YAML
Raw Blame History

{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.keycloakConfigCli.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ printf "%s-keycloak-config-cli" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" .) | nindent 4 }}
app.kubernetes.io/component: keycloak-config-cli
app.kubernetes.io/part-of: keycloak
{{- $defaultAnnotations := ternary (dict "helm.sh/hook" "post-install,post-upgrade,post-rollback" "helm.sh/hook-delete-policy" "before-hook-creation,hook-succeeded" "helm.sh/hook-weight" "5") (dict) .Values.useHelmHooks }}
{{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.keycloakConfigCli.annotations .Values.commonAnnotations $defaultAnnotations) "context" .) }}
annotations: {{- include "common.tplvalues.render" (dict "value" $annotations "context" .) | nindent 4 }}
spec:
backoffLimit: {{ .Values.keycloakConfigCli.backoffLimit }}
{{- if .Values.keycloakConfigCli.cleanupAfterFinished.enabled }}
ttlSecondsAfterFinished: {{ .Values.keycloakConfigCli.cleanupAfterFinished.seconds }}
{{- end }}
template:
metadata:
{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.keycloakConfigCli.podLabels .Values.commonLabels) "context" .) }}
labels: {{- include "common.labels.standard" (dict "customLabels" $podLabels "context" .) | nindent 8 }}
app.kubernetes.io/component: keycloak-config-cli
app.kubernetes.io/part-of: keycloak
annotations:
{{- if and .Values.keycloakConfigCli.configuration (not .Values.keycloakConfigCli.existingConfigmap) }}
checksum/configuration: {{ include (print $.Template.BasePath "/keycloak-config-cli-configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.keycloakConfigCli.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.podAnnotations "context" .) | nindent 8 }}
{{- end }}
spec:
restartPolicy: Never
serviceAccountName: {{ template "keycloak.serviceAccountName" . }}
{{- include "keycloak.imagePullSecrets" . | nindent 6 }}
{{- if .Values.keycloakConfigCli.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.keycloakConfigCli.podSecurityContext "context" .) | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.keycloakConfigCli.automountServiceAccountToken }}
{{- if .Values.keycloakConfigCli.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.hostAliases "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.keycloakConfigCli.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.nodeSelector "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.keycloakConfigCli.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.tolerations "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.keycloakConfigCli.initContainers }}
initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.initContainers "context" .) | nindent 8 }}
{{- end }}
containers:
- name: keycloak-config-cli
image: {{ template "keycloak.keycloakConfigCli.image" . }}
imagePullPolicy: {{ .Values.keycloakConfigCli.image.pullPolicy }}
command:
{{- if .Values.keycloakConfigCli.command }}
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.command "context" .) | nindent 12 }}
{{- else }}
- java
{{- end }}
args:
{{- if .Values.keycloakConfigCli.args }}
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.args "context" .) | nindent 12 }}
{{- else }}
- -jar
- /opt/bitnami/keycloak-config-cli/keycloak-config-cli.jar
{{- end }}
{{- if .Values.keycloakConfigCli.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.keycloakConfigCli.containerSecurityContext "context" .) | nindent 12 }}
{{- end }}
env:
# ref: https://github.com/adorsys/keycloak-config-cli?tab=readme-ov-file#configuration
- name: KEYCLOAK_URL
value: {{ printf "http://%s:%d%s" (include "keycloak.headless.serviceName" .) (.Values.containerPorts.http | int) (.Values.httpRelativePath) }}
- name: KEYCLOAK_USER
value: {{ .Values.auth.adminUser | quote }}
- name: KEYCLOAK_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "keycloak.secretName" . }}
key: {{ include "keycloak.secretKey" . }}
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap }}
- name: IMPORT_FILES_LOCATIONS
value: /config/*
{{- end }}
- name: KEYCLOAK_AVAILABILITYCHECK_ENABLED
value: {{ .Values.keycloakConfigCli.availabilityCheck.enabled | quote }}
{{- if and .Values.keycloakConfigCli.availabilityCheck.enabled .Values.keycloakConfigCli.availabilityCheck.timeout }}
- name: KEYCLOAK_AVAILABILITYCHECK_TIMEOUT
value: {{ .Values.keycloakConfigCli.availabilityCheck.timeout }}
{{- end }}
{{- if .Values.keycloakConfigCli.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.extraEnvVars "context" .) | nindent 12 }}
{{- end }}
{{- if or .Values.keycloakConfigCli.extraEnvVarsCM .Values.keycloakConfigCli.extraEnvVarsSecret }}
envFrom:
{{- if .Values.keycloakConfigCli.extraEnvVarsCM }}
- configMapRef:
name: {{ tpl .Values.keycloakConfigCli.extraEnvVarsCM . }}
{{- end }}
{{- if .Values.keycloakConfigCli.extraEnvVarsSecret }}
- secretRef:
name: {{ tpl .Values.keycloakConfigCli.extraEnvVarsSecret . }}
{{- end }}
{{- end }}
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap .Values.keycloakConfigCli.extraVolumeMounts }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap }}
- name: config-volume
mountPath: /config
{{- end }}
{{- if .Values.keycloakConfigCli.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.extraVolumeMounts "context" .) | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.keycloakConfigCli.resources }}
resources: {{- toYaml .Values.keycloakConfigCli.resources | nindent 12 }}
{{- else if ne .Values.keycloakConfigCli.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.keycloakConfigCli.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if .Values.keycloakConfigCli.sidecars }}
{{- include "common.tplvalues.render" ("value" .Values.keycloakConfigCli.sidecars "context" .) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap }}
- name: config-volume
configMap:
name: {{ include "keycloak.keycloakConfigCli.configmapName" . }}
{{- end }}
{{- if .Values.keycloakConfigCli.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.extraVolumes "context" .) | nindent 8 }}
{{- end }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink