sa_8001/cmoa_installer_ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fab5fb32c94ef4fbf4aa5a183c0cfe97ed7cb4f3
cmoa_installer_ansible/roles/cmoa_install/files/04-keycloak/values.yaml
havelight-ee 2b70528618 update
2023-02-06 15:01:53 +09:00

553 lines
16 KiB
YAML
Raw Blame History

# Optionally override the fully qualified name
fullnameOverride: "imxc-keycloak"
# Optionally override the name
nameOverride: ""
# The number of replicas to create (has no effect if autoscaling enabled)
replicas: 2
image:
# The Keycloak image repository
#repository: cdm-dev.exem-oss.org/keycloak/keycloak
repository: 10.10.31.243:5000/cmoa3/keycloak
# Overrides the Keycloak image tag whose default is the chart version
tag: "11.0.1"
# The Keycloak image pull policy
pullPolicy: Always
# Image pull secrets for the Pod
#imagePullSecrets: []
# - name: myRegistrKeySecretName
imagePullSecrets:
- name: regcred
# Mapping between IPs and hostnames that will be injected as entries in the Pod's hosts files
hostAliases: []
# - ip: "1.2.3.4"
# hostnames:
# - "my.host.com"
# Indicates whether information about services should be injected into Pod's environment variables, matching the syntax of Docker links
enableServiceLinks: true
# Pod management policy. One of `Parallel` or `OrderedReady`
podManagementPolicy: Parallel
# Pod restart policy. One of `Always`, `OnFailure`, or `Never`
restartPolicy: Always
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# Additional annotations for the ServiceAccount
annotations: {}
# Additional labels for the ServiceAccount
labels: {}
# Image pull secrets that are attached to the ServiceAccount
#imagePullSecrets: []
imagePullSecrets:
- name: regcred
rbac:
create: true
rules:
# RBAC rules for KUBE_PING
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
# SecurityContext for the entire Pod. Every container running in the Pod will inherit this SecurityContext. This might be relevant when other components of the environment inject additional containers into running Pods (service meshes are the most prominent example for this)
podSecurityContext:
fsGroup: 1000
# SecurityContext for the Keycloak container
securityContext:
runAsUser: 1000
runAsNonRoot: true
# Additional init containers, e. g. for providing custom themes
extraInitContainers: |
- name: theme-provider
image: 10.10.31.243:5000/cmoa3/theme-provider:latest
imagePullPolicy: IfNotPresent
command:
- sh
args:
- -c
- |
echo "Copying theme ..."
cp -R /mytheme/* /theme
volumeMounts:
- name: theme
mountPath: /theme
#extraInitContainers: ""
# Additional sidecar containers, e. g. for a database proxy, such as Google's cloudsql-proxy
extraContainers: ""
# Lifecycle hooks for the Keycloak container
lifecycleHooks: |
# postStart:
# exec:
# command:
# - /bin/sh
# - -c
# - ls
# Termination grace period in seconds for Keycloak shutdown. Clusters with a large cache might need to extend this to give Infinispan more time to rebalance
terminationGracePeriodSeconds: 60
# The internal Kubernetes cluster domain
clusterDomain: cluster.local
## Overrides the default entrypoint of the Keycloak container
command: []
## Overrides the default args for the Keycloak container
#args: ["-Dkeycloak.profile.feature.scripts=enabled", "-Dkeycloak.profile.feature.upload_scripts=enabled", "-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled"]
args: ["-Dkeycloak.profile.feature.scripts=enabled", "-Dkeycloak.profile.feature.upload_scripts=enabled"]
# Additional environment variables for Keycloak
extraEnv: |
# HA settings
- name: PROXY_ADDRESS_FORWARDING
value: "true"
- name: JGROUPS_DISCOVERY_PROTOCOL
value: kubernetes.KUBE_PING
- name: KUBERNETES_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CACHE_OWNERS_COUNT
value: "2"
- name: CACHE_OWNERS_AUTH_SESSIONS_COUNT
value: "2"
# postgresql settings
- name: DB_VENDOR
value: postgres
- name: DB_ADDR
value: postgres
- name: DB_PORT
value: "5432"
- name: DB_DATABASE
value: keycloak
- name: DB_USER
value: admin
- name: DB_PASSWORD
value: eorbahrhkswp
# - name: KEYCLOAK_USER
# value: keycloak
# - name: KEYCLOAK_PASSWORD
# value: keycloak
#extraEnv: ""
# - name: KEYCLOAK_LOGLEVEL
# value: DEBUG
# - name: WILDFLY_LOGLEVEL
# value: DEBUG
# - name: CACHE_OWNERS_COUNT
# value: "2"
# - name: CACHE_OWNERS_AUTH_SESSIONS_COUNT
# value: "2"
#extraEnv: |
# - name: JGROUPS_DISCOVERY_PROTOCOL
# value: dns.DNS_PING
# - name: JGROUPS_DISCOVERY_PROPERTIES
# value: 'dns_query={{ include "keycloak.serviceDnsName" . }}'
# - name: CACHE_OWNERS_COUNT
# value: "2"
# - name: CACHE_OWNERS_AUTH_SESSIONS_COUNT
# value: "2"
# Additional environment variables for Keycloak mapped from Secret or ConfigMap
extraEnvFrom: ""
# Pod priority class name
#priorityClassName: "manual"
# Pod affinity
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
{{- include "keycloak.selectorLabels" . | nindent 10 }}
matchExpressions:
- key: app.kubernetes.io/component
operator: NotIn
values:
- test
topologyKey: kubernetes.io/hostname
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
{{- include "keycloak.selectorLabels" . | nindent 12 }}
matchExpressions:
- key: app.kubernetes.io/component
operator: NotIn
values:
- test
topologyKey: failure-domain.beta.kubernetes.io/zone
#affinity: {}
# Node labels for Pod assignment
nodeSelector: {}
# Node taints to tolerate
tolerations: []
# Additional Pod labels
podLabels: {}
# Additional Pod annotations
podAnnotations: {}
# Liveness probe configuration
livenessProbe: |
httpGet:
path: /auth/
port: http
initialDelaySeconds: 300
timeoutSeconds: 5
# Readiness probe configuration
readinessProbe: |
httpGet:
path: /auth/realms/master
port: http
initialDelaySeconds: 30
timeoutSeconds: 1
# Pod resource requests and limits
#resources: {}
# requests:
# cpu: "500m"
# memory: "1024Mi"
# limits:
# cpu: "500m"
# memory: "1024Mi"
resources:
requests:
memory: "200Mi"
cpu: "10m"
# Startup scripts to run before Keycloak starts up
startupScripts:
# WildFly CLI script for configuring the node-identifier
keycloak.cli: |
{{- .Files.Get "scripts/keycloak.cli" }}
# mystartup.sh: |
# #!/bin/sh
#
# echo 'Hello from my custom startup script!'
# Add additional volumes, e. g. for custom themes
extraVolumes: |
- name: theme
emptyDir: {}
#extraVolumes: ""
# Add additional volumes mounts, e. g. for custom themes
extraVolumeMounts: |
- name: theme
mountPath: /opt/jboss/keycloak/themes
#extraVolumeMounts: ""
# Add additional ports, e. g. for admin console or exposing JGroups ports
extraPorts: []
# Pod disruption budget
podDisruptionBudget: {}
# maxUnavailable: 1
# minAvailable: 1
# Annotations for the StatefulSet
statefulsetAnnotations: {}
# Additional labels for the StatefulSet
statefulsetLabels: {}
# Configuration for secrets that should be created
secrets: {}
# mysecret:
# type: {}
# annotations: {}
# labels: {}
# stringData: {}
# data: {}
service:
# Annotations for headless and HTTP Services
annotations: {}
# Additional labels for headless and HTTP Services
labels: {}
# key: value
# The Service type
type: NodePort
# Optional IP for the load balancer. Used for services of type LoadBalancer only
loadBalancerIP: ""
# The http Service port
httpPort: 80
# The HTTP Service node port if type is NodePort
httpNodePort: 31082
# The HTTPS Service port
httpsPort: 8443
# The HTTPS Service node port if type is NodePort
httpsNodePort: null
# The WildFly management Service port
httpManagementPort: 9990
# The WildFly management Service node port if type is NodePort
httpManagementNodePort: 31990
# Additional Service ports, e. g. for custom admin console
extraPorts: []
# When using Service type LoadBalancer, you can restrict source ranges allowed
# to connect to the LoadBalancer, e. g. will result in Security Groups
# (or equivalent) with inbound source ranges allowed to connect
loadBalancerSourceRanges: []
# Session affinity
# See https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-userspace
sessionAffinity: ""
# Session affinity config
sessionAffinityConfig: {}
ingress:
# If `true`, an Ingress is created
enabled: false
# The Service port targeted by the Ingress
servicePort: http
# Ingress annotations
annotations: {}
## Resolve HTTP 502 error using ingress-nginx:
## See https://www.ibm.com/support/pages/502-error-ingress-keycloak-response
# nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
# Additional Ingress labels
labels: {}
# List of rules for the Ingress
rules:
-
# Ingress host
host: '{{ .Release.Name }}.keycloak.example.com'
# Paths for the host
paths:
- /
# TLS configuration
tls:
- hosts:
- keycloak.example.com
secretName: ""
# ingress for console only (/auth/admin)
console:
# If `true`, an Ingress is created for console path only
enabled: false
# Ingress annotations for console ingress only
# Useful to set nginx.ingress.kubernetes.io/whitelist-source-range particularly
annotations: {}
rules:
-
# Ingress host
host: '{{ .Release.Name }}.keycloak.example.com'
# Paths for the host
paths:
- /auth/admin/
## Network policy configuration
networkPolicy:
# If true, the Network policies are deployed
enabled: false
# Additional Network policy labels
labels: {}
# Define all other external allowed source
# See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#networkpolicypeer-v1-networking-k8s-io
extraFrom: []
route:
# If `true`, an OpenShift Route is created
enabled: false
# Path for the Route
path: /
# Route annotations
annotations: {}
# Additional Route labels
labels: {}
# Host name for the Route
host: ""
# TLS configuration
tls:
# If `true`, TLS is enabled for the Route
enabled: false
# Insecure edge termination policy of the Route. Can be `None`, `Redirect`, or `Allow`
insecureEdgeTerminationPolicy: Redirect
# TLS termination of the route. Can be `edge`, `passthrough`, or `reencrypt`
termination: edge
pgchecker:
image:
# Docker image used to check Postgresql readiness at startup
#repository: cdm-dev.exem-oss.org/keycloak/busybox
#repository: {{ .Values.global.IMXC_REGISTRY }}/keycloak/busybox
repository: 10.10.31.243:5000/cmoa3/busybox
# Image tag for the pgchecker image
tag: 1.32
# Image pull policy for the pgchecker image
pullPolicy: Always
# SecurityContext for the pgchecker contai/docker.ner
securityContext:
allowPrivilegeEscalation: false
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
# Resource requests and limits for the pgchecker container
resources:
requests:
cpu: "10m"
memory: "16Mi"
limits:
cpu: "10m"
memory: "16Mi"
postgresql:
# If `true`, the Postgresql dependency is enabled
enabled: false
# PostgreSQL User to create
postgresqlUsername: keycloak
# PostgreSQL Password for the new user
postgresqlPassword: keycloak
# PostgreSQL Database to create
postgresqlDatabase: keycloak
# PostgreSQL network policy configuration
networkPolicy:
enabled: false
serviceMonitor:
# If `true`, a ServiceMonitor resource for the prometheus-operator is created
enabled: false
# Optionally sets a target namespace in which to deploy the ServiceMonitor resource
namespace: ""
# Optionally sets a namespace for the ServiceMonitor
namespaceSelector: {}
# Annotations for the ServiceMonitor
annotations: {}
# Additional labels for the ServiceMonitor
labels: {}
# Interval at which Prometheus scrapes metrics
interval: 10s
# Timeout for scraping
scrapeTimeout: 10s
# The path at which metrics are served
path: /metrics
# The Service port at which metrics are served
port: http-management
extraServiceMonitor:
# If `true`, a ServiceMonitor resource for the prometheus-operator is created
enabled: false
# Optionally sets a target namespace in which to deploy the ServiceMonitor resource
namespace: ""
# Optionally sets a namespace for the ServiceMonitor
namespaceSelector: {}
# Annotations for the ServiceMonitor
annotations: {}
# Additional labels for the ServiceMonitor
labels: {}
# Interval at which Prometheus scrapes metrics
interval: 10s
# Timeout for scraping
scrapeTimeout: 10s
# The path at which metrics are served
path: /auth/realms/master/metrics
# The Service port at which metrics are served
port: http
prometheusRule:
# If `true`, a PrometheusRule resource for the prometheus-operator is created
enabled: false
# Annotations for the PrometheusRule
annotations: {}
# Additional labels for the PrometheusRule
labels: {}
# List of rules for Prometheus
rules: []
# - alert: keycloak-IngressHigh5xxRate
# annotations:
# message: The percentage of 5xx errors for keycloak over the last 5 minutes is over 1%.
# expr: |
# (
# sum(
# rate(
# nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak",status=~"5[0-9]{2}"}[1m]
# )
# )
# /
# sum(
# rate(
# nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak"}[1m]
# )
# )
# ) * 100 > 1
# for: 5m
# labels:
# severity: warning
autoscaling:
# If `true`, a autoscaling/v2beta2 HorizontalPodAutoscaler resource is created (requires Kubernetes 1.18 or above)
# Autoscaling seems to be most reliable when using KUBE_PING service discovery (see README for details)
# This disables the `replicas` field in the StatefulSet
enabled: false
# Additional HorizontalPodAutoscaler labels
labels: {}
# The minimum and maximum number of replicas for the Keycloak StatefulSet
minReplicas: 3
maxReplicas: 10
# The metrics to use for scaling
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
# The scaling policy to use. This will scale up quickly but only scale down a single Pod per 5 minutes.
# This is important because caches are usually only replicated to 2 Pods and if one of those Pods is terminated this will give the cluster time to recover.
behavior:
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Pods
value: 1
periodSeconds: 300
test:
# If `true`, test resources are created
enabled: false
image:
# The image for the test Pod
#repository: docker.io/unguiculus/docker-python3-phantomjs-selenium
repository: 10.10.31.243:5000/docker-python3-phantomjs-selenium
# The tag for the test Pod image
tag: v1
# The image pull policy for the test Pod image
pullPolicy: IfNotPresent
# SecurityContext for the entire test Pod
podSecurityContext:
fsGroup: 1000
# SecurityContext for the test container
securityContext:
runAsUser: 1000
runAsNonRoot: true
Reference in New Issue View Git Blame Copy Permalink