Marko Oldenburg
ba8d52be03
This update introduces significant enhancements to the Keycloak chart, particularly regarding TLS certificate management. The changes include: - Added the capability to automatically generate and manage TLS certificates using Cert-Manager or Helm, improving the security posture by using self-signed certificates in development scenarios. - Implemented a dedicated ConfigMap to hold keycloak-config-cli configurations and ensured that it is integrated with the job for configuration synchronization. - Enhanced the handling of admin ingress settings and TLS secrets, facilitating smoother access and management for multi-host deployments. - Refactored and reorganized sections to improve readability and maintainability of templates, ensuring adherence to best practices in Helm charts. These improvements aim to streamline deployment, enhance security features, and simplify the management of certificates, facilitating easier Kubernetes operations for users.
325 lines
16 KiB
YAML
325 lines
16 KiB
YAML
{{- /*
|
|
Copyright Broadcom, Inc. All Rights Reserved.
|
|
SPDX-License-Identifier: APACHE-2.0
|
|
*/}}
|
|
|
|
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
|
|
kind: StatefulSet
|
|
metadata:
|
|
name: {{ template "common.names.fullname" . }}
|
|
namespace: {{ include "common.names.namespace" . | quote }}
|
|
labels: {{- include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" .) | nindent 4 }}
|
|
app.kubernetes.io/component: keycloak
|
|
app.kubernetes.io/part-of: keycloak
|
|
{{- if or .Values.statefulsetAnnotations .Values.commonAnnotations }}
|
|
annotations: {{- include "common.tplvalues.merge" (dict "values" (list .Values.statefulsetAnnotations .Values.commonAnnotations) "context" .) | nindent 4 }}
|
|
{{- end }}
|
|
spec:
|
|
{{- if not .Values.autoscaling.hpa.enabled }}
|
|
replicas: {{ .Values.replicaCount }}
|
|
{{- end }}
|
|
revisionHistoryLimit: {{ .Values.revisionHistoryLimitCount }}
|
|
podManagementPolicy: {{ .Values.podManagementPolicy }}
|
|
serviceName: {{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
|
|
updateStrategy: {{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" .) | nindent 4 }}
|
|
{{- if .Values.minReadySeconds }}
|
|
minReadySeconds: {{ .Values.minReadySeconds }}
|
|
{{- end }}
|
|
{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.podLabels .Values.commonLabels) "context" .) }}
|
|
selector:
|
|
matchLabels: {{- include "common.labels.matchLabels" (dict "customLabels" $podLabels "context" .) | nindent 6 }}
|
|
app.kubernetes.io/component: keycloak
|
|
app.kubernetes.io/part-of: keycloak
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
checksum/configmap-env-vars: {{ include (print $.Template.BasePath "/configmap-env-vars.yaml") . | sha256sum }}
|
|
{{- if not .Values.auth.existingSecret }}
|
|
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
|
|
{{- end }}
|
|
{{- if and .Values.configuration (not .Values.existingConfigmap) }}
|
|
checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
|
|
{{- end }}
|
|
{{- if .Values.podAnnotations }}
|
|
{{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" .) | nindent 8 }}
|
|
{{- end }}
|
|
labels: {{- include "common.labels.standard" (dict "customLabels" $podLabels "context" .) | nindent 8 }}
|
|
app.kubernetes.io/component: keycloak
|
|
app.kubernetes.io/part-of: keycloak
|
|
spec:
|
|
serviceAccountName: {{ template "keycloak.serviceAccountName" . }}
|
|
{{- include "keycloak.imagePullSecrets" . | nindent 6 }}
|
|
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
|
|
{{- if .Values.hostAliases }}
|
|
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" .) | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.affinity }}
|
|
affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" .) | nindent 8 }}
|
|
{{- else }}
|
|
affinity:
|
|
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "keycloak" "customLabels" $podLabels "context" .) | nindent 10 }}
|
|
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "keycloak" "customLabels" $podLabels "context" .) | nindent 10 }}
|
|
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }}
|
|
{{- end }}
|
|
{{- if .Values.nodeSelector }}
|
|
nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" .) | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.tolerations }}
|
|
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.topologySpreadConstraints }}
|
|
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.priorityClassName }}
|
|
priorityClassName: {{ .Values.priorityClassName | quote }}
|
|
{{- end }}
|
|
{{- if .Values.schedulerName }}
|
|
schedulerName: {{ .Values.schedulerName }}
|
|
{{- end }}
|
|
{{- if .Values.podSecurityContext.enabled }}
|
|
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" .) | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.dnsPolicy }}
|
|
dnsPolicy: {{ .Values.dnsPolicy }}
|
|
{{- end }}
|
|
{{- if .Values.dnsConfig }}
|
|
dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dnsConfig "context" .) | nindent 8 }}
|
|
{{- end }}
|
|
enableServiceLinks: {{ .Values.enableServiceLinks }}
|
|
{{- if .Values.terminationGracePeriodSeconds }}
|
|
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
|
|
{{- end }}
|
|
{{- if or .Values.defaultInitContainers.prepareWriteDirs.enabled .Values.initContainers }}
|
|
initContainers:
|
|
{{- if .Values.defaultInitContainers.prepareWriteDirs.enabled }}
|
|
{{- include "keycloak.defaultInitContainers.prepareWriteDirs" . | nindent 8 }}
|
|
{{- end }}
|
|
{{- if .Values.initContainers }}
|
|
{{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" .) | nindent 8 }}
|
|
{{- end }}
|
|
{{- end }}
|
|
containers:
|
|
- name: keycloak
|
|
image: {{ template "keycloak.image" . }}
|
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
{{- if .Values.lifecycleHooks }}
|
|
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" .) | nindent 12 }}
|
|
{{- end }}
|
|
{{- if .Values.containerSecurityContext.enabled }}
|
|
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" .) | nindent 12 }}
|
|
{{- end }}
|
|
{{- if .Values.diagnosticMode.enabled }}
|
|
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" .) | nindent 12 }}
|
|
{{- else if .Values.command }}
|
|
command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" .) | nindent 12 }}
|
|
{{- end }}
|
|
{{- if .Values.diagnosticMode.enabled }}
|
|
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" .) | nindent 12 }}
|
|
{{- else if .Values.args }}
|
|
args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" .) | nindent 12 }}
|
|
{{- end }}
|
|
env:
|
|
- name: KUBERNETES_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
apiVersion: v1
|
|
fieldPath: metadata.namespace
|
|
{{- if not .Values.usePasswordFiles }}
|
|
- name: KC_BOOTSTRAP_ADMIN_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ include "keycloak.secretName" . }}
|
|
key: {{ include "keycloak.secretKey" . }}
|
|
- name: KC_DB_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ include "keycloak.database.secretName" . }}
|
|
key: {{ include "keycloak.database.secretPasswordKey" . }}
|
|
{{- if .Values.externalDatabase.existingSecretUserKey }}
|
|
- name: KC_DB_USERNAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ include "keycloak.database.secretName" . }}
|
|
key: {{ include "keycloak.database.secretUserKey" . }}
|
|
{{- end }}
|
|
{{- if and .Values.tls.enabled (not .Values.tls.autoGenerated.enabled) (or .Values.tls.keystorePassword .Values.tls.passwordsSecret) }}
|
|
- name: KC_HTTPS_KEY_STORE_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ include "keycloak.tls.passwordsSecretName" . }}
|
|
key: "tls-keystore-password"
|
|
{{- end }}
|
|
{{- if and .Values.tls.enabled (not .Values.tls.autoGenerated.enabled) (or .Values.tls.truststorePassword .Values.tls.passwordsSecret) }}
|
|
- name: KC_HTTPS_TRUST_STORE_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: {{ include "keycloak.tls.passwordsSecretName" . }}
|
|
key: "tls-truststore-password"
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if .Values.extraEnvVars }}
|
|
{{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" .) | nindent 12 }}
|
|
{{- end }}
|
|
envFrom:
|
|
- configMapRef:
|
|
name: {{ printf "%s-env-vars" (include "common.names.fullname" .) }}
|
|
{{- if .Values.extraEnvVarsCM }}
|
|
- configMapRef:
|
|
name: {{ tpl .Values.extraEnvVarsCM . }}
|
|
{{- end }}
|
|
{{- if .Values.extraEnvVarsSecret }}
|
|
- secretRef:
|
|
name: {{ tpl .Values.extraEnvVarsSecret . }}
|
|
{{- end }}
|
|
{{- if .Values.resources }}
|
|
resources: {{- toYaml .Values.resources | nindent 12 }}
|
|
{{- else if ne .Values.resourcesPreset "none" }}
|
|
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
|
|
{{- end }}
|
|
ports:
|
|
- name: http
|
|
containerPort: {{ .Values.containerPorts.http }}
|
|
protocol: TCP
|
|
{{- if .Values.tls.enabled }}
|
|
- name: https
|
|
containerPort: {{ .Values.containerPorts.https }}
|
|
protocol: TCP
|
|
{{- end }}
|
|
{{- if .Values.metrics.enabled }}
|
|
- name: management
|
|
containerPort: {{ .Values.containerPorts.management }}
|
|
protocol: TCP
|
|
{{- end}}
|
|
{{- /* Constant in code: https://github.com/keycloak/keycloak/blob/ce8e925c1ad9bf7a3180d1496e181aeea0ab5f8a/operator/src/main/java/org/keycloak/operator/Constants.java#L60 */}}
|
|
- name: discovery
|
|
containerPort: 7800
|
|
{{- if .Values.extraContainerPorts }}
|
|
{{- include "common.tplvalues.render" (dict "value" .Values.extraContainerPorts "context" .) | nindent 12 }}
|
|
{{- end }}
|
|
{{- if not .Values.diagnosticMode.enabled }}
|
|
{{- if .Values.customStartupProbe }}
|
|
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" .) | nindent 12 }}
|
|
{{- else if .Values.startupProbe.enabled }}
|
|
startupProbe: {{- omit .Values.startupProbe "enabled" | toYaml | nindent 12 }}
|
|
httpGet:
|
|
path: {{ .Values.httpRelativePath }}
|
|
port: {{ ternary "http" "https" (or .Values.httpEnabled (not .Values.tls.enabled)) }}
|
|
scheme: {{ ternary "HTTP" "HTTPS" (or .Values.httpEnabled (not .Values.tls.enabled)) }}
|
|
{{- end }}
|
|
{{- if .Values.customLivenessProbe }}
|
|
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" .) | nindent 12 }}
|
|
{{- else if .Values.livenessProbe.enabled }}
|
|
livenessProbe: {{- omit .Values.livenessProbe "enabled" | toYaml | nindent 12 }}
|
|
tcpSocket:
|
|
port: {{ ternary "http" "https" (or .Values.httpEnabled (not .Values.tls.enabled)) }}
|
|
{{- end }}
|
|
{{- if .Values.customReadinessProbe }}
|
|
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" .) | nindent 12 }}
|
|
{{- else if .Values.readinessProbe.enabled }}
|
|
readinessProbe: {{- omit .Values.readinessProbe "enabled" | toYaml | nindent 12 }}
|
|
httpGet:
|
|
path: {{ .Values.httpRelativePath }}realms/{{ .Values.adminRealm | default "master" }}
|
|
port: {{ ternary "http" "https" (or .Values.httpEnabled (not .Values.tls.enabled)) }}
|
|
scheme: {{ ternary "HTTP" "HTTPS" (or .Values.httpEnabled (not .Values.tls.enabled)) }}
|
|
{{- end }}
|
|
{{- end }}
|
|
volumeMounts:
|
|
- name: empty-dir
|
|
mountPath: /tmp
|
|
subPath: tmp-dir
|
|
- name: empty-dir
|
|
mountPath: /bitnami/keycloak
|
|
subPath: app-volume-dir
|
|
- name: empty-dir
|
|
mountPath: /opt/bitnami/keycloak/conf
|
|
subPath: app-conf-dir
|
|
- name: empty-dir
|
|
mountPath: /opt/bitnami/keycloak/lib/quarkus
|
|
subPath: app-quarkus-dir
|
|
- name: empty-dir
|
|
mountPath: /opt/bitnami/keycloak/data
|
|
subPath: app-data-dir
|
|
- name: empty-dir
|
|
mountPath: /opt/bitnami/keycloak/providers
|
|
subPath: app-providers-dir
|
|
- name: empty-dir
|
|
mountPath: /opt/bitnami/keycloak/themes
|
|
subPath: app-themes-dir
|
|
{{- if .Values.usePasswordFiles }}
|
|
- name: keycloak-secrets
|
|
mountPath: /opt/bitnami/keycloak/secrets
|
|
{{- end }}
|
|
{{- if or .Values.configuration .Values.existingConfigmap }}
|
|
- name: keycloak-config
|
|
mountPath: /bitnami/keycloak/conf/keycloak.conf
|
|
subPath: keycloak.conf
|
|
{{- end }}
|
|
{{- if .Values.tls.enabled }}
|
|
- name: certificates
|
|
mountPath: /opt/bitnami/keycloak/certs
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- if .Values.trustedCertsExistingSecret }}
|
|
- name: truststore
|
|
mountPath: /opt/bitnami/keycloak/truststore
|
|
readOnly: true
|
|
{{- end }}
|
|
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
|
|
- name: custom-init-scripts
|
|
mountPath: /docker-entrypoint-initdb.d
|
|
{{- end }}
|
|
{{- if .Values.extraVolumeMounts }}
|
|
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" .) | nindent 12 }}
|
|
{{- end }}
|
|
{{- if .Values.sidecars }}
|
|
{{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" .) | nindent 8 }}
|
|
{{- end }}
|
|
volumes:
|
|
- name: empty-dir
|
|
emptyDir: {}
|
|
{{- if .Values.usePasswordFiles }}
|
|
- name: keycloak-secrets
|
|
projected:
|
|
sources:
|
|
- secret:
|
|
name: {{ include "keycloak.secretName" . }}
|
|
- secret:
|
|
name: {{ include "keycloak.database.secretName" . }}
|
|
items:
|
|
- key: {{ include "keycloak.database.secretPasswordKey" . }}
|
|
path: {{ printf "db-%s" (include "keycloak.database.secretPasswordKey" .) }}
|
|
{{- if .Values.externalDatabase.existingSecretUserKey }}
|
|
- key: {{ include "keycloak.database.secretUserKey" . }}
|
|
path: {{ printf "db-%s" (include "keycloak.database.secretUserKey" .) }}
|
|
{{- end }}
|
|
{{- if and .Values.tls.enabled (not .Values.tls.autoGenerated.enabled) (or .Values.tls.keystorePassword .Values.tls.truststorePassword .Values.tls.passwordsSecret) }}
|
|
- secret:
|
|
name: {{ include "keycloak.tls.passwordsSecretName" . }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if or .Values.configuration .Values.existingConfigmap }}
|
|
- name: keycloak-config
|
|
configMap:
|
|
name: {{ include "keycloak.configmapName" . }}
|
|
{{- end }}
|
|
{{- if .Values.tls.enabled }}
|
|
- name: certificates
|
|
secret:
|
|
secretName: {{ include "keycloak.tls.secretName" . }}
|
|
defaultMode: 420
|
|
{{- end }}
|
|
{{- if .Values.trustedCertsExistingSecret }}
|
|
- name: truststore
|
|
secret:
|
|
secretName: {{ tpl .Values.trustedCertsExistingSecret . }}
|
|
defaultMode: 420
|
|
{{- end }}
|
|
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
|
|
- name: custom-init-scripts
|
|
configMap:
|
|
name: {{ include "keycloak.initdbScripts.configmapName" . }}
|
|
{{- end }}
|
|
{{- if .Values.extraVolumes }}
|
|
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" .) | nindent 8 }}
|
|
{{- end }}
|