update
This commit is contained in:
havelight-ee
@@ -0,0 +1,76 @@
|
||||
CHART NAME: {{ .Chart.Name }}
|
||||
CHART VERSION: {{ .Chart.Version }}
|
||||
APP VERSION: {{ .Chart.AppVersion }}
|
||||
|
||||
** Please be patient while the chart is being deployed **
|
||||
|
||||
Keycloak can be accessed through the following DNS name from within your cluster:
|
||||
|
||||
{{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} (port {{ coalesce .Values.service.ports.http .Values.service.port }})
|
||||
|
||||
To access Keycloak from outside the cluster execute the following commands:
|
||||
|
||||
{{- if .Values.ingress.enabled }}
|
||||
|
||||
1. Get the Keycloak URL and associate its hostname to your cluster external IP:
|
||||
|
||||
export CLUSTER_IP=$(minikube ip) # On Minikube. Use: `kubectl cluster-info` on others K8s clusters
|
||||
echo "Keycloak URL: http{{ if .Values.ingress.tls }}s{{ end }}://{{ .Values.ingress.hostname }}/auth"
|
||||
echo "$CLUSTER_IP {{ .Values.ingress.hostname }}" | sudo tee -a /etc/hosts
|
||||
|
||||
{{- else }}
|
||||
|
||||
1. Get the Keycloak URL by running these commands:
|
||||
|
||||
{{- if contains "NodePort" .Values.service.type }}
|
||||
|
||||
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }})
|
||||
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
|
||||
echo "http://${NODE_IP}:${NODE_PORT}/auth"
|
||||
|
||||
{{- else if contains "LoadBalancer" .Values.service.type }}
|
||||
|
||||
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
|
||||
You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "common.names.fullname" . }}'
|
||||
|
||||
export SERVICE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].port}" services {{ include "common.names.fullname" . }})
|
||||
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
|
||||
echo "http://${SERVICE_IP}:${SERVICE_PORT}/auth"
|
||||
|
||||
{{- else if contains "ClusterIP" .Values.service.type }}
|
||||
|
||||
export SERVICE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].port}" services {{ include "common.names.fullname" . }})
|
||||
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "common.names.fullname" . }} ${SERVICE_PORT}:${SERVICE_PORT} &
|
||||
echo "http://127.0.0.1:${SERVICE_PORT}/auth"
|
||||
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
2. Access Keycloak using the obtained URL.
|
||||
{{- if .Values.auth.createAdminUser }}
|
||||
3. Access the Administration Console using the following credentials:
|
||||
|
||||
echo Username: {{ .Values.auth.adminUser }}
|
||||
{{- if not .Values.auth.existingSecretPerPassword }}
|
||||
echo Password: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecret "context" $) }} -o jsonpath="{.data.admin-password}" | base64 --decode)
|
||||
{{- else }}
|
||||
echo Password: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.adminPassword "context" $) }} -o jsonpath="\{ {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "adminPassword") }} \}" | base64 --decode)
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
|
||||
You can access the Prometheus metrics following the steps below:
|
||||
|
||||
1. Get the Keycloak Prometheus metrics URL by running:
|
||||
|
||||
{{- $metricsPort := coalesce .Values.metrics.service.ports.http .Values.metrics.service.port | toString }}
|
||||
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ printf "%s-metrics" (include "keycloak.fullname" .) }} {{ $metricsPort }}:{{ $metricsPort }} &
|
||||
echo "Keycloak Prometheus metrics URL: http://127.0.0.1:{{ $metricsPort }}/metrics"
|
||||
|
||||
2. Open a browser and access Keycloak Prometheus metrics using the obtained URL.
|
||||
|
||||
{{- end }}
|
||||
|
||||
{{- include "keycloak.validateValues" . }}
|
||||
{{- include "common.warnings.rollingTag" .Values.image }}
|
||||
{{- include "common.warnings.rollingTag" .Values.keycloakConfigCli.image }}
|
||||
@@ -0,0 +1,273 @@
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 20 chars since the node identifier in WildFly is limited to
|
||||
23 characters. This allows for a replica suffix for up to 99 replicas.
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "keycloak.fullname" -}}
|
||||
{{- if .Values.fullnameOverride -}}
|
||||
{{- .Values.fullnameOverride | trunc 20 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 20 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 20 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the proper Keycloak image name
|
||||
*/}}
|
||||
{{- define "keycloak.image" -}}
|
||||
{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the proper keycloak-config-cli image name
|
||||
*/}}
|
||||
{{- define "keycloak.keycloakConfigCli.image" -}}
|
||||
{{ include "common.images.image" (dict "imageRoot" .Values.keycloakConfigCli.image "global" .Values.global) }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the keycloak-config-cli configuration configmap.
|
||||
*/}}
|
||||
{{- define "keycloak.keycloakConfigCli.configmapName" -}}
|
||||
{{- if .Values.keycloakConfigCli.existingConfigmap -}}
|
||||
{{- printf "%s" (tpl .Values.keycloakConfigCli.existingConfigmap $) -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-keycloak-config-cli-configmap" (include "common.names.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if a configmap object should be created for keycloak-config-cli
|
||||
*/}}
|
||||
{{- define "keycloak.keycloakConfigCli.createConfigmap" -}}
|
||||
{{- if and .Values.keycloakConfigCli.enabled .Values.keycloakConfigCli.configuration (not .Values.keycloakConfigCli.existingConfigmap) -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the proper Docker Image Registry Secret Names
|
||||
*/}}
|
||||
{{- define "keycloak.imagePullSecrets" -}}
|
||||
{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.keycloakConfigCli.image) "global" .Values.global) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
*/}}
|
||||
{{- define "keycloak.postgresql.fullname" -}}
|
||||
{{- include "common.names.dependency.fullname" (dict "chartName" "postgresql" "chartValues" .Values.postgresql "context" $) -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "keycloak.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create -}}
|
||||
{{ default (include "keycloak.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else -}}
|
||||
{{ default "default" .Values.serviceAccount.name }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the Keycloak configuration configmap
|
||||
*/}}
|
||||
{{- define "keycloak.configmapName" -}}
|
||||
{{- if .Values.existingConfigmap -}}
|
||||
{{- printf "%s" (tpl .Values.existingConfigmap $) -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-configuration" (include "keycloak.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if a configmap object should be created
|
||||
*/}}
|
||||
{{- define "keycloak.createConfigmap" -}}
|
||||
{{- if and .Values.configuration (not .Values.existingConfigmap) }}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the Database hostname
|
||||
*/}}
|
||||
{{- define "keycloak.databaseHost" -}}
|
||||
{{- ternary (include "keycloak.postgresql.fullname" .) .Values.externalDatabase.host .Values.postgresql.enabled -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the Database port
|
||||
*/}}
|
||||
{{- define "keycloak.databasePort" -}}
|
||||
{{- ternary "5432" .Values.externalDatabase.port .Values.postgresql.enabled | quote -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the Database database name
|
||||
*/}}
|
||||
{{- define "keycloak.databaseName" -}}
|
||||
{{- if .Values.postgresql.enabled }}
|
||||
{{- if .Values.global.postgresql }}
|
||||
{{- if .Values.global.postgresql.auth }}
|
||||
{{- coalesce .Values.global.postgresql.auth.database .Values.postgresql.auth.database -}}
|
||||
{{- else -}}
|
||||
{{- .Values.postgresql.auth.database -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- .Values.postgresql.auth.database -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- .Values.externalDatabase.database -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the Database user
|
||||
*/}}
|
||||
{{- define "keycloak.databaseUser" -}}
|
||||
{{- if .Values.postgresql.enabled }}
|
||||
{{- if .Values.global.postgresql }}
|
||||
{{- if .Values.global.postgresql.auth }}
|
||||
{{- coalesce .Values.global.postgresql.auth.username .Values.postgresql.auth.username -}}
|
||||
{{- else -}}
|
||||
{{- .Values.postgresql.auth.username -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- .Values.postgresql.auth.username -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- .Values.externalDatabase.user -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the Database encrypted password
|
||||
*/}}
|
||||
{{- define "keycloak.databaseSecretName" -}}
|
||||
{{- if .Values.postgresql.enabled }}
|
||||
{{- if .Values.global.postgresql }}
|
||||
{{- if .Values.global.postgresql.auth }}
|
||||
{{- if .Values.global.postgresql.auth.existingSecret }}
|
||||
{{- tpl .Values.global.postgresql.auth.existingSecret $ -}}
|
||||
{{- else -}}
|
||||
{{- default (include "keycloak.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecret $) -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- default (include "keycloak.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecret $) -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- default (include "keycloak.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecret $) -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- default (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecret "context" $)) (tpl .Values.externalDatabase.existingSecret $) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Add environment variables to configure database values
|
||||
*/}}
|
||||
{{- define "keycloak.databaseSecretKey" -}}
|
||||
{{- if .Values.postgresql.enabled -}}
|
||||
{{- print "password" -}}
|
||||
{{- else -}}
|
||||
{{- if .Values.externalDatabase.existingSecret -}}
|
||||
{{- if .Values.externalDatabase.existingSecretPasswordKey -}}
|
||||
{{- printf "%s" .Values.externalDatabase.existingSecretPasswordKey -}}
|
||||
{{- else -}}
|
||||
{{- print "password" -}}
|
||||
{{- end -}}
|
||||
{{- else -}}
|
||||
{{- print "password" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the Keycloak initdb scripts configmap
|
||||
*/}}
|
||||
{{- define "keycloak.initdbScriptsCM" -}}
|
||||
{{- if .Values.initdbScriptsConfigMap -}}
|
||||
{{- printf "%s" .Values.initdbScriptsConfigMap -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-init-scripts" (include "keycloak.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the secret containing AppName TLS certificates
|
||||
*/}}
|
||||
{{- define "keycloak.tlsSecretName" -}}
|
||||
{{- $secretName := coalesce .Values.auth.tls.existingSecret .Values.auth.tls.jksSecret -}}
|
||||
{{- if $secretName -}}
|
||||
{{- printf "%s" (tpl $secretName $) -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-crt" (include "common.names.fullname" .) -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return true if a TLS secret object should be created
|
||||
*/}}
|
||||
{{- define "keycloak.createTlsSecret" -}}
|
||||
{{- if and .Values.auth.tls.enabled .Values.auth.tls.autoGenerated (not .Values.auth.tls.existingSecret) (not .Values.auth.tls.jksSecret) }}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Compile all warnings into a single message.
|
||||
*/}}
|
||||
{{- define "keycloak.validateValues" -}}
|
||||
{{- $messages := list -}}
|
||||
{{- $messages := append $messages (include "keycloak.validateValues.replicaCount" .) -}}
|
||||
{{- $messages := append $messages (include "keycloak.validateValues.database" .) -}}
|
||||
{{- $messages := append $messages (include "keycloak.validateValues.auth.tls" .) -}}
|
||||
{{- $messages := without $messages "" -}}
|
||||
{{- $message := join "\n" $messages -}}
|
||||
|
||||
{{- if $message -}}
|
||||
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Validate values of Keycloak - number of replicas */}}
|
||||
{{- define "keycloak.validateValues.replicaCount" -}}
|
||||
{{- $replicaCount := int .Values.replicaCount }}
|
||||
{{- if and (not .Values.serviceDiscovery.enabled) (gt $replicaCount 1) -}}
|
||||
keycloak: replicaCount
|
||||
You need to configure the ServiceDiscovery settings to run more than 1 replica.
|
||||
Enable the Service Discovery (--set serviceDiscovery.enabled=true) and
|
||||
set the Service Discovery protocol (--set serviceDiscovery.protocol="FOO") and
|
||||
the Service Discovery properties (--set serviceDiscovery.properties[0]="BAR") if needed.
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Validate values of Keycloak - database */}}
|
||||
{{- define "keycloak.validateValues.database" -}}
|
||||
{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.host) (not .Values.externalDatabase.existingSecret) -}}
|
||||
keycloak: database
|
||||
You disabled the PostgreSQL sub-chart but did not specify an external PostgreSQL host.
|
||||
Either deploy the PostgreSQL sub-chart (--set postgresql.enabled=true),
|
||||
or set a value for the external database host (--set externalDatabase.host=FOO)
|
||||
or set a value for the external database existing secret (--set externalDatabase.existingSecret=BAR).
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/* Validate values of Keycloak - Auth TLS enabled */}}
|
||||
{{- define "keycloak.validateValues.auth.tls" -}}
|
||||
{{- if and .Values.auth.tls.enabled (not .Values.auth.tls.autoGenerated) (not .Values.auth.tls.existingSecret) (not .Values.auth.tls.jksSecret) }}
|
||||
keycloak: auth.tls.enabled
|
||||
In order to enable TLS, you also need to provide
|
||||
an existing secret containing the Keystore and Truststore or
|
||||
enable auto-generated certificates.
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
@@ -0,0 +1,37 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-env-vars" (include "keycloak.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
KEYCLOAK_CREATE_ADMIN_USER: {{ ternary "true" "false" .Values.auth.createAdminUser | quote }}
|
||||
KEYCLOAK_ADMIN_USER: {{ .Values.auth.adminUser | quote }}
|
||||
KEYCLOAK_MANAGEMENT_USER: {{ .Values.auth.managementUser | quote }}
|
||||
KEYCLOAK_HTTP_PORT: {{ .Values.containerPorts.http | quote }}
|
||||
KEYCLOAK_PROXY_ADDRESS_FORWARDING: {{ ternary "true" "false" .Values.proxyAddressForwarding | quote }}
|
||||
KEYCLOAK_ENABLE_STATISTICS: {{ ternary "true" "false" .Values.metrics.enabled | quote }}
|
||||
KEYCLOAK_DATABASE_HOST: {{ include "keycloak.databaseHost" . | quote }}
|
||||
KEYCLOAK_DATABASE_PORT: {{ include "keycloak.databasePort" . }}
|
||||
KEYCLOAK_DATABASE_NAME: {{ include "keycloak.databaseName" . | quote }}
|
||||
KEYCLOAK_DATABASE_USER: {{ include "keycloak.databaseUser" . | quote }}
|
||||
{{- if .Values.serviceDiscovery.enabled }}
|
||||
KEYCLOAK_JGROUPS_DISCOVERY_PROTOCOL: {{ .Values.serviceDiscovery.protocol | quote }}
|
||||
KEYCLOAK_JGROUPS_DISCOVERY_PROPERTIES: {{ (tpl (join "," .Values.serviceDiscovery.properties) $) | quote }}
|
||||
KEYCLOAK_JGROUPS_TRANSPORT_STACK: {{ .Values.serviceDiscovery.transportStack | quote }}
|
||||
{{- end }}
|
||||
KEYCLOAK_CACHE_OWNERS_COUNT: {{ .Values.cache.ownersCount | quote }}
|
||||
KEYCLOAK_AUTH_CACHE_OWNERS_COUNT: {{ .Values.cache.authOwnersCount | quote }}
|
||||
KEYCLOAK_ENABLE_TLS: {{ ternary "true" "false" .Values.auth.tls.enabled | quote }}
|
||||
{{- if .Values.auth.tls.enabled }}
|
||||
KEYCLOAK_HTTPS_PORT: {{ .Values.containerPorts.https | quote }}
|
||||
KEYCLOAK_TLS_KEYSTORE_FILE: "/opt/bitnami/keycloak/certs/keycloak.keystore.jks"
|
||||
KEYCLOAK_TLS_TRUSTSTORE_FILE: "/opt/bitnami/keycloak/certs/keycloak.truststore.jks"
|
||||
{{- end }}
|
||||
@@ -0,0 +1,18 @@
|
||||
{{- if (include "keycloak.createConfigmap" .) }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-configuration" (include "keycloak.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
standalone-ha.xml: |-
|
||||
{{- .Values.configuration | nindent 4 }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,4 @@
|
||||
{{- range .Values.extraDeploy }}
|
||||
---
|
||||
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,30 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ printf "%s-headless" (include "keycloak.fullname" .) | trunc 63 | trimSuffix "-" }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
clusterIP: None
|
||||
ports:
|
||||
- name: http
|
||||
port: {{ coalesce .Values.service.ports.http .Values.service.port }}
|
||||
protocol: TCP
|
||||
targetPort: http
|
||||
{{- if .Values.auth.tls.enabled }}
|
||||
- name: https
|
||||
port: {{ coalesce .Values.service.ports.https .Values.service.httpsPort }}
|
||||
protocol: TCP
|
||||
targetPort: https
|
||||
{{- end }}
|
||||
publishNotReadyAddresses: true
|
||||
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
@@ -0,0 +1,35 @@
|
||||
{{- if .Values.autoscaling.enabled }}
|
||||
apiVersion: autoscaling/v2beta1
|
||||
kind: HorizontalPodAutoscaler
|
||||
metadata:
|
||||
name: {{ template "keycloak.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
scaleTargetRef:
|
||||
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
|
||||
kind: StatefulSet
|
||||
name: {{ template "keycloak.fullname" . }}
|
||||
minReplicas: {{ .Values.autoscaling.minReplicas }}
|
||||
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
|
||||
metrics:
|
||||
{{- if .Values.autoscaling.targetCPU }}
|
||||
- type: Resource
|
||||
resource:
|
||||
name: cpu
|
||||
targetAverageUtilization: {{ .Values.autoscaling.targetCPU }}
|
||||
{{- end }}
|
||||
{{- if .Values.autoscaling.targetMemory }}
|
||||
- type: Resource
|
||||
resource:
|
||||
name: memory
|
||||
targetAverageUtilization: {{ .Values.autoscaling.targetMemory }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,58 @@
|
||||
{{- if .Values.ingress.enabled }}
|
||||
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: {{ include "keycloak.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if .Values.commonAnnotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.ingress.annotations }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.ingress.annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
|
||||
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
|
||||
{{- end }}
|
||||
rules:
|
||||
{{- if .Values.ingress.hostname }}
|
||||
- host: {{ .Values.ingress.hostname | quote }}
|
||||
http:
|
||||
paths:
|
||||
{{- if .Values.ingress.extraPaths }}
|
||||
{{- toYaml .Values.ingress.extraPaths | nindent 10 }}
|
||||
{{- end }}
|
||||
- path: {{ .Values.ingress.path }}
|
||||
{{- if eq "true" (include "common.ingress.supportsPathType" .) }}
|
||||
pathType: {{ .Values.ingress.pathType }}
|
||||
{{- end }}
|
||||
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "keycloak.fullname" .) "servicePort" .Values.ingress.servicePort "context" $) | nindent 14 }}
|
||||
{{- end }}
|
||||
{{- range .Values.ingress.extraHosts }}
|
||||
- host: {{ .name }}
|
||||
http:
|
||||
paths:
|
||||
- path: {{ default "/" .path }}
|
||||
{{- if eq "true" (include "common.ingress.supportsPathType" $) }}
|
||||
pathType: {{ default "ImplementationSpecific" .pathType }}
|
||||
{{- end }}
|
||||
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "keycloak.fullname" $) "servicePort" $.Values.ingress.servicePort "context" $) | nindent 14 }}
|
||||
{{- end }}
|
||||
{{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned)) .Values.ingress.extraTls }}
|
||||
tls:
|
||||
{{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned) }}
|
||||
- hosts:
|
||||
- {{ .Values.ingress.hostname | quote }}
|
||||
secretName: {{ printf "%s-tls" .Values.ingress.hostname }}
|
||||
{{- end }}
|
||||
{{- if .Values.ingress.extraTls }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,17 @@
|
||||
{{- if and .Values.initdbScripts (not .Values.initdbScriptsConfigMap) }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ printf "%s-init-scripts" (include "keycloak.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.initdbScripts "context" .) | nindent 2 }}
|
||||
{{ end }}
|
||||
@@ -0,0 +1,21 @@
|
||||
{{- if (include "keycloak.keycloakConfigCli.createConfigmap" .) }}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ include "keycloak.keycloakConfigCli.configmapName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak-config-cli
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
{{- range $fileName, $fileContent := .Values.keycloakConfigCli.configuration }}
|
||||
{{- if $fileContent }}
|
||||
{{ $fileName }}: |
|
||||
{{- include "common.tplvalues.render" (dict "value" $fileContent "context" $) | nindent 4 }}
|
||||
{{- else }}
|
||||
{{- ($.Files.Glob $fileName).AsConfig | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,120 @@
|
||||
{{- if .Values.keycloakConfigCli.enabled }}
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ template "keycloak.fullname" . }}-keycloak-config-cli
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak-config-cli
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.keycloakConfigCli.annotations "context" $ ) | nindent 4 }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
backoffLimit: {{ .Values.keycloakConfigCli.backoffLimit }}
|
||||
template:
|
||||
metadata:
|
||||
labels: {{- include "common.labels.standard" . | nindent 8 }}
|
||||
app.kubernetes.io/component: keycloak-config-cli
|
||||
{{- if .Values.keycloakConfigCli.podLabels }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.podLabels "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
annotations:
|
||||
{{- if (include "keycloak.keycloakConfigCli.createConfigmap" .) }}
|
||||
checksum/configuration: {{ include (print $.Template.BasePath "/keycloak-config-cli-configmap.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.keycloakConfigCli.podAnnotations }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.podAnnotations "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ template "keycloak.serviceAccountName" . }}
|
||||
{{- include "keycloak.imagePullSecrets" . | nindent 6 }}
|
||||
restartPolicy: Never
|
||||
{{- if .Values.keycloakConfigCli.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.keycloakConfigCli.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.keycloakConfigCli.hostAliases }}
|
||||
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.hostAliases "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: keycloak-config-cli
|
||||
image: {{ template "keycloak.keycloakConfigCli.image" . }}
|
||||
imagePullPolicy: {{ .Values.keycloakConfigCli.image.pullPolicy }}
|
||||
{{- if .Values.keycloakConfigCli.command }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.command "context" $) | nindent 12 }}
|
||||
{{- else }}
|
||||
command:
|
||||
- java
|
||||
- -jar
|
||||
- {{ printf "/opt/bitnami/keycloak-config-cli/keycloak-config-cli-%s.jar" .Chart.AppVersion }}
|
||||
{{- end }}
|
||||
{{- if .Values.keycloakConfigCli.args }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.args "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.keycloakConfigCli.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.keycloakConfigCli.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: KEYCLOAK_URL
|
||||
value: {{ printf "http://%s-headless:%d/auth" (include "keycloak.fullname" .) (.Values.containerPorts.http | int) }}
|
||||
- name: KEYCLOAK_USER
|
||||
value: {{ .Values.auth.adminUser | quote }}
|
||||
- name: KEYCLOAK_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
{{- if .Values.auth.existingSecretPerPassword }}
|
||||
name: {{ include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.adminPassword "context" $) }}
|
||||
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "adminPassword") }}
|
||||
{{- else }}
|
||||
name: {{ include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecret "context" $) }}
|
||||
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecret "key" "admin-password") }}
|
||||
{{- end }}
|
||||
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap }}
|
||||
- name: IMPORT_PATH
|
||||
value: /config/
|
||||
{{- end }}
|
||||
- name: KEYCLOAK_AVAILABILITYCHECK_ENABLED
|
||||
value: "true"
|
||||
{{- if .Values.keycloakConfigCli.extraEnvVars }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.extraEnvVars "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.keycloakConfigCli.extraEnvVarsCM .Values.keycloakConfigCli.extraEnvVarsSecret }}
|
||||
envFrom:
|
||||
{{- if .Values.keycloakConfigCli.extraEnvVarsCM }}
|
||||
- configMapRef:
|
||||
name: {{ .Values.keycloakConfigCli.extraEnvVarsCM }}
|
||||
{{- end }}
|
||||
{{- if .Values.keycloakConfigCli.extraEnvVarsSecret }}
|
||||
- secretRef:
|
||||
name: {{ .Values.keycloakConfigCli.extraEnvVarsSecret }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap .Values.keycloakConfigCli.extraVolumeMounts }}
|
||||
volumeMounts:
|
||||
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap }}
|
||||
- name: config-volume
|
||||
mountPath: /config
|
||||
{{- end }}
|
||||
{{- if .Values.keycloakConfigCli.extraVolumeMounts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.extraVolumeMounts "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.keycloakConfigCli.resources }}
|
||||
resources: {{- toYaml .Values.keycloakConfigCli.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap .Values.keycloakConfigCli.extraVolumes }}
|
||||
volumes:
|
||||
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap }}
|
||||
- name: config-volume
|
||||
configMap:
|
||||
name: {{ include "keycloak.keycloakConfigCli.configmapName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.keycloakConfigCli.extraVolumes }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.extraVolumes "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,30 @@
|
||||
{{- if .Values.metrics.enabled }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ printf "%s-metrics" (include "keycloak.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: metrics
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.metrics.service.annotations .Values.commonAnnotations }}
|
||||
annotations:
|
||||
{{- if .Values.metrics.service.annotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: http-management
|
||||
port: {{ coalesce .Values.metrics.service.ports.http .Values.metrics.service.port }}
|
||||
protocol: TCP
|
||||
targetPort: http-management
|
||||
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- end }}
|
||||
@@ -0,0 +1,39 @@
|
||||
{{- if .Values.networkPolicy.enabled }}
|
||||
kind: NetworkPolicy
|
||||
apiVersion: networking.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ template "keycloak.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
|
||||
ingress:
|
||||
- ports:
|
||||
- port: {{ .Values.containerPorts.http }}
|
||||
{{- if .Values.auth.tls.enabled }}
|
||||
- port: {{ .Values.containerPorts.https }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.enabled }}
|
||||
- port: {{ .Values.containerPorts.management }}
|
||||
{{- end }}
|
||||
{{- if not .Values.networkPolicy.allowExternal }}
|
||||
from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
{{ template "keycloak.fullname" . }}-client: "true"
|
||||
- podSelector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.networkPolicy.additionalRules }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.additionalRules "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,25 @@
|
||||
{{- if .Values.pdb.create }}
|
||||
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
|
||||
kind: PodDisruptionBudget
|
||||
metadata:
|
||||
name: {{ template "keycloak.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.pdb.minAvailable }}
|
||||
minAvailable: {{ .Values.pdb.minAvailable }}
|
||||
{{- end }}
|
||||
{{- if .Values.pdb.maxUnavailable }}
|
||||
maxUnavailable: {{ .Values.pdb.maxUnavailable }}
|
||||
{{- end }}
|
||||
selector:
|
||||
matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- end }}
|
||||
@@ -0,0 +1,26 @@
|
||||
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
|
||||
kind: Role
|
||||
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ template "keycloak.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
rules:
|
||||
{{- if .Values.rbac.rules }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }}
|
||||
{{- end }}
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- pods
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
{{- end }}
|
||||
@@ -0,0 +1,23 @@
|
||||
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
|
||||
kind: RoleBinding
|
||||
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
|
||||
metadata:
|
||||
name: {{ template "keycloak.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ template "keycloak.fullname" . }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ template "keycloak.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,31 @@
|
||||
{{- if and (not .Values.auth.existingSecret) (not .Values.auth.existingSecretPerPassword) }}
|
||||
{{- $secretName := include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecret "context" $)}}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ $secretName }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: Opaque
|
||||
data:
|
||||
admin-password: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "admin-password" "length" 10 "providedValues" (list "auth.adminPassword") "context" $) }}
|
||||
management-password: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "management-password" "providedValues" (list "auth.managementPassword") "context" $) }}
|
||||
{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecret) }}
|
||||
password: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "password" "length" 10 "providedValues" (list "externalDatabase.password") "context" $) }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.tls.enabled }}
|
||||
{{- if or .Values.auth.tls.keystorePassword .Values.auth.tls.autoGenerated .Values.auth.tls.usePem }}
|
||||
tls-keystore-password: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "tls-keystore-password" "length" 10 "providedValues" (list "auth.tls.keystorePassword") "context" $) }}
|
||||
{{- end }}
|
||||
{{- if or .Values.auth.tls.truststorePassword .Values.auth.tls.autoGenerated .Values.auth.tls.usePem }}
|
||||
tls-truestore-password: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "tls-truestore-password" "length" 10 "providedValues" (list "auth.tls.truststorePassword") "context" $) }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,59 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ template "keycloak.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.service.annotations .Values.commonAnnotations }}
|
||||
annotations:
|
||||
{{- if .Values.service.annotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.service.annotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
type: {{ .Values.service.type }}
|
||||
sessionAffinity: {{ .Values.service.sessionAffinity }}
|
||||
{{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }}
|
||||
clusterIP: {{ .Values.service.clusterIP }}
|
||||
{{- end }}
|
||||
{{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }}
|
||||
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }}
|
||||
{{- end }}
|
||||
{{- if eq .Values.service.type "LoadBalancer" }}
|
||||
loadBalancerSourceRanges:
|
||||
{{ toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }}
|
||||
{{- if not (empty .Values.service.loadBalancerIP) }}
|
||||
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http
|
||||
port: {{ coalesce .Values.service.ports.http .Values.service.port }}
|
||||
protocol: TCP
|
||||
targetPort: http
|
||||
{{- if (and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.http))) }}
|
||||
nodePort: {{ .Values.service.nodePorts.http }}
|
||||
{{- else if eq .Values.service.type "ClusterIP" }}
|
||||
nodePort: null
|
||||
{{- end }}
|
||||
- name: https
|
||||
port: {{ coalesce .Values.service.ports.https .Values.service.httpsPort }}
|
||||
protocol: TCP
|
||||
targetPort: https
|
||||
{{- if (and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.https))) }}
|
||||
nodePort: {{ .Values.service.nodePorts.https }}
|
||||
{{- else if eq .Values.service.type "ClusterIP" }}
|
||||
nodePort: null
|
||||
{{- end }}
|
||||
{{- if .Values.service.extraPorts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
@@ -0,0 +1,22 @@
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ template "keycloak.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
|
||||
annotations:
|
||||
{{- if .Values.commonAnnotations }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.serviceAccount.annotations }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.serviceAccount.annotations "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,48 @@
|
||||
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ template "keycloak.fullname" . }}
|
||||
namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.metrics.serviceMonitor.labels }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.labels "context" $) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if .Values.metrics.serviceMonitor.jobLabel }}
|
||||
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
|
||||
{{- end }}
|
||||
endpoints:
|
||||
- port: http-management
|
||||
{{- if .Values.metrics.serviceMonitor.interval }}
|
||||
interval: {{ .Values.metrics.serviceMonitor.interval }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
|
||||
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.relabelings }}
|
||||
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
|
||||
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- if .Values.metrics.serviceMonitor.honorLabels }}
|
||||
honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
|
||||
{{- end }}
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- {{ .Release.Namespace }}
|
||||
selector:
|
||||
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
|
||||
{{- if .Values.metrics.serviceMonitor.selector }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/component: metrics
|
||||
{{- end }}
|
||||
@@ -0,0 +1,361 @@
|
||||
{{- $globalSecretName := printf "%s" (tpl (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecret "context" $)) $) }}
|
||||
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
|
||||
kind: StatefulSet
|
||||
metadata:
|
||||
name: {{ template "keycloak.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if not .Values.autoscaling.enabled }}
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
{{- end }}
|
||||
podManagementPolicy: {{ .Values.podManagementPolicy }}
|
||||
serviceName: {{ printf "%s-headless" (include "keycloak.fullname" .) | trunc 63 | trimSuffix "-" }}
|
||||
updateStrategy:
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $ ) | nindent 4 }}
|
||||
selector:
|
||||
matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
checksum/configmap-env-vars: {{ include (print $.Template.BasePath "/configmap-env-vars.yaml") . | sha256sum }}
|
||||
{{- if and (not .Values.auth.existingSecret) (not .Values.auth.existingSecretPerPassword) }}
|
||||
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if (include "keycloak.createConfigmap" .) }}
|
||||
checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
|
||||
{{- end }}
|
||||
{{- if .Values.podAnnotations }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 8 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.podLabels }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ template "keycloak.serviceAccountName" . }}
|
||||
{{- include "keycloak.imagePullSecrets" . | nindent 6 }}
|
||||
{{- if .Values.hostAliases }}
|
||||
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.affinity }}
|
||||
affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }}
|
||||
{{- else }}
|
||||
affinity:
|
||||
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "context" $) | nindent 10 }}
|
||||
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "context" $) | nindent 10 }}
|
||||
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- if .Values.nodeSelector }}
|
||||
nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.tolerations }}
|
||||
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.topologySpreadConstraints }}
|
||||
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.priorityClassName }}
|
||||
priorityClassName: {{ .Values.priorityClassName | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.schedulerName }}
|
||||
schedulerName: {{ .Values.schedulerName }}
|
||||
{{- end }}
|
||||
{{- if .Values.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.terminationGracePeriodSeconds }}
|
||||
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
|
||||
{{- end }}
|
||||
{{- if or .Values.initContainers .Values.auth.tls.enabled }}
|
||||
initContainers:
|
||||
{{- if .Values.auth.tls.enabled }}
|
||||
{{- $fullname := include "keycloak.fullname" . }}
|
||||
- name: init-certs
|
||||
image: {{ include "keycloak.image" . }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
|
||||
{{- if .Values.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /bin/bash
|
||||
- -ec
|
||||
- |-
|
||||
ID="${MY_POD_NAME#"{{ $fullname }}-"}"
|
||||
{{- if or .Values.auth.tls.autoGenerated .Values.auth.tls.usePem }}
|
||||
if [[ -f "/certs/keycloak-${ID}.key" ]] && [[ -f "/certs/keycloak-${ID}.crt" ]] && [[ -f "/certs/ca.crt" ]]; then
|
||||
openssl pkcs12 -export -in "/certs/keycloak-${ID}.crt" \
|
||||
-passout pass:"${KEYCLOAK_TLS_KEYSTORE_PASSWORD}" \
|
||||
-inkey "/certs/keycloak-${ID}.key" \
|
||||
-out "/tmp/keystore.p12"
|
||||
keytool -importkeystore -srckeystore "/tmp/keystore.p12" \
|
||||
-srcstoretype PKCS12 \
|
||||
-srcstorepass "${KEYCLOAK_TLS_KEYSTORE_PASSWORD}" \
|
||||
-deststorepass "${KEYCLOAK_TLS_KEYSTORE_PASSWORD}" \
|
||||
-destkeystore "/opt/bitnami/keycloak/certs/keycloak.keystore.jks"
|
||||
rm "/tmp/keystore.p12"
|
||||
keytool -import -file "/certs/ca.crt" \
|
||||
-keystore "/opt/bitnami/keycloak/certs/keycloak.truststore.jks" \
|
||||
-storepass "${KEYCLOAK_TLS_TRUSTSTORE_PASSWORD}" \
|
||||
-noprompt
|
||||
else
|
||||
echo "Couldn't find the expected PEM certificates! They are mandatory when encryption via TLS is enabled."
|
||||
exit 1
|
||||
fi
|
||||
{{- else if and .Values.auth.tls.truststoreFilename .Values.auth.tls.keystoreFilename }}
|
||||
if [[ -f {{ printf "/certs/%s" .Values.auth.tls.truststoreFilename | quote }} ]] && [[ -f {{ printf "/certs/%s" .Values.auth.tls.keystoreFilename | quote }} ]]; then
|
||||
cp {{ printf "/certs/%s" .Values.auth.tls.truststoreFilename | quote }} "/opt/bitnami/keycloak/certs/keycloak.truststore.jks"
|
||||
cp {{ printf "/certs/%s" .Values.auth.tls.keystoreFilename | quote }} "/opt/bitnami/keycloak/certs/keycloak.keystore.jks"
|
||||
else
|
||||
echo "Couldn't find the expected Java Key Stores (JKS) files! They are mandatory when encryption via TLS is enabled."
|
||||
exit 1
|
||||
fi
|
||||
{{- else }}
|
||||
if [[ -f "/certs/keycloak.truststore.jks" ]] && [[ -f "/certs/keycloak-${ID}.keystore.jks" ]]; then
|
||||
cp "/certs/keycloak.truststore.jks" "/opt/bitnami/keycloak/certs/keycloak.truststore.jks"
|
||||
cp "/certs/keycloak-${ID}.keystore.jks" "/opt/bitnami/keycloak/certs/keycloak.keystore.jks"
|
||||
else
|
||||
echo "Couldn't find the expected Java Key Stores (JKS) files! They are mandatory when encryption via TLS is enabled."
|
||||
exit 1
|
||||
fi
|
||||
{{- end }}
|
||||
env:
|
||||
- name: MY_POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.name
|
||||
{{- if or .Values.auth.tls.keystorePassword .Values.auth.existingSecretPerPassword .Values.auth.tls.autoGenerated }}
|
||||
- name: KEYCLOAK_TLS_KEYSTORE_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
{{- if .Values.auth.existingSecretPerPassword }}
|
||||
name: {{ tpl (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.tlsKeystorePassword "context" $)) $ }}
|
||||
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "tlsKeystorePassword") }}
|
||||
{{- else }}
|
||||
name: {{ $globalSecretName }}
|
||||
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecret "key" "tls-keystore-password") }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if or .Values.auth.tls.truststorePassword .Values.auth.existingSecretPerPassword .Values.auth.tls.autoGenerated }}
|
||||
- name: KEYCLOAK_TLS_TRUSTSTORE_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
{{- if .Values.auth.existingSecretPerPassword }}
|
||||
name: {{ tpl (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.tlsTruststorePassword "context" $)) $ }}
|
||||
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "tlsKeystorePassword") }}
|
||||
{{- else }}
|
||||
name: {{ $globalSecretName }}
|
||||
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecret "key" "tls-truestore-password") }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.tls.resources }}
|
||||
resources: {{- toYaml .Values.auth.tls.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: certificates
|
||||
mountPath: /certs
|
||||
- name: shared-certs
|
||||
mountPath: /opt/bitnami/keycloak/certs
|
||||
{{- end }}
|
||||
{{- if .Values.initContainers }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: keycloak
|
||||
image: {{ template "keycloak.image" . }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
{{- if .Values.lifecycleHooks }}
|
||||
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
|
||||
{{- else if .Values.command }}
|
||||
command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.diagnosticMode.enabled }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
|
||||
{{- else if .Values.args }}
|
||||
args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
env:
|
||||
- name: KUBERNETES_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.namespace
|
||||
- name: BITNAMI_DEBUG
|
||||
value: {{ ternary "true" "false" .Values.image.debug | quote }}
|
||||
- name: KEYCLOAK_ADMIN_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
{{- if .Values.auth.existingSecretPerPassword }}
|
||||
name: {{ tpl (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.adminPassword "context" $)) $ }}
|
||||
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "adminPassword") }}
|
||||
{{- else }}
|
||||
name: {{ $globalSecretName }}
|
||||
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecret "key" "admin-password") }}
|
||||
{{- end }}
|
||||
- name: KEYCLOAK_MANAGEMENT_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
{{- if .Values.auth.existingSecretPerPassword }}
|
||||
name: {{ tpl (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.managementPassword "context" $)) $ }}
|
||||
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "managementPassword") }}
|
||||
{{- else }}
|
||||
name: {{ $globalSecretName }}
|
||||
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecret "key" "management-password") }}
|
||||
{{- end }}
|
||||
- name: KEYCLOAK_DATABASE_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
{{- if .Values.auth.existingSecretPerPassword }}
|
||||
name: {{ tpl (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.databasePassword "context" $)) $ }}
|
||||
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "databasePassword") }}
|
||||
{{- else }}
|
||||
name: {{ include "keycloak.databaseSecretName" . }}
|
||||
key: {{ include "keycloak.databaseSecretKey" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.tls.enabled }}
|
||||
{{- if or .Values.auth.tls.keystorePassword .Values.auth.existingSecretPerPassword }}
|
||||
- name: KEYCLOAK_TLS_KEYSTORE_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
{{- if .Values.auth.existingSecretPerPassword }}
|
||||
name: {{ tpl (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.tlsKeystorePassword "context" $) $) }}
|
||||
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "tlsKeystorePassword") }}
|
||||
{{- else }}
|
||||
name: {{ $globalSecretName }}
|
||||
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecret "key" "tls-keystore-password") }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if or .Values.auth.tls.truststorePassword .Values.auth.existingSecretPerPassword }}
|
||||
- name: KEYCLOAK_TLS_TRUSTSTORE_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
{{- if .Values.auth.existingSecretPerPassword }}
|
||||
name: {{ tpl (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.tlsTruststorePassword "context" $) $) }}
|
||||
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "tlsKeystorePassword") }}
|
||||
{{- else }}
|
||||
name: {{ $globalSecretName }}
|
||||
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecret "key" "tls-truestore-password") }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraStartupArgs }}
|
||||
- name: KEYCLOAK_EXTRA_ARGS
|
||||
value: {{ .Values.extraStartupArgs | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraEnvVars }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: {{ printf "%s-env-vars" (include "keycloak.fullname" .) }}
|
||||
{{- if .Values.extraEnvVarsCM }}
|
||||
- configMapRef:
|
||||
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraEnvVarsSecret }}
|
||||
- secretRef:
|
||||
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
|
||||
{{- end }}
|
||||
{{- if and .Values.externalDatabase.existingSecret (not .Values.postgresql.enabled) }}
|
||||
- secretRef:
|
||||
name: {{ include "common.tplvalues.render" (dict "value" .Values.externalDatabase.existingSecret "context" $) }}
|
||||
{{- end }}
|
||||
{{- if .Values.resources }}
|
||||
resources: {{- toYaml .Values.resources | nindent 12 }}
|
||||
{{- end }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: {{ .Values.containerPorts.http }}
|
||||
protocol: TCP
|
||||
- name: https
|
||||
containerPort: {{ .Values.containerPorts.https }}
|
||||
protocol: TCP
|
||||
- name: http-management
|
||||
containerPort: {{ .Values.containerPorts.management }}
|
||||
protocol: TCP
|
||||
{{- if not .Values.diagnosticMode.enabled }}
|
||||
{{- if .Values.startupProbe.enabled }}
|
||||
startupProbe: {{- omit .Values.startupProbe "enabled" | toYaml | nindent 12 }}
|
||||
httpGet:
|
||||
path: /auth/
|
||||
port: http
|
||||
{{- else if .Values.customStartupProbe }}
|
||||
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.livenessProbe.enabled }}
|
||||
livenessProbe: {{- omit .Values.livenessProbe "enabled" | toYaml | nindent 12 }}
|
||||
httpGet:
|
||||
path: /auth/
|
||||
port: http
|
||||
{{- else if .Values.customLivenessProbe }}
|
||||
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.readinessProbe.enabled }}
|
||||
readinessProbe: {{- omit .Values.readinessProbe "enabled" | toYaml | nindent 12 }}
|
||||
httpGet:
|
||||
path: /auth/realms/master
|
||||
port: http
|
||||
{{- else if .Values.customReadinessProbe }}
|
||||
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
{{- if or .Values.configuration .Values.existingConfigmap }}
|
||||
- name: keycloak-config
|
||||
mountPath: /bitnami/keycloak/configuration/standalone-ha.xml
|
||||
subPath: standalone-ha.xml
|
||||
{{- end }}
|
||||
{{- if .Values.auth.tls.enabled }}
|
||||
- name: shared-certs
|
||||
mountPath: /opt/bitnami/keycloak/certs
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
|
||||
- name: custom-init-scripts
|
||||
mountPath: /docker-entrypoint-initdb.d
|
||||
{{- end }}
|
||||
{{- if .Values.extraVolumeMounts }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if .Values.sidecars }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- if or .Values.configuration .Values.existingConfigmap }}
|
||||
- name: keycloak-config
|
||||
configMap:
|
||||
name: {{ include "keycloak.configmapName" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.auth.tls.enabled }}
|
||||
- name: certificates
|
||||
secret:
|
||||
secretName: {{ include "keycloak.tlsSecretName" . }}
|
||||
defaultMode: 420
|
||||
- name: shared-certs
|
||||
emptyDir: {}
|
||||
{{- end }}
|
||||
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
|
||||
- name: custom-init-scripts
|
||||
configMap:
|
||||
name: {{ include "keycloak.initdbScriptsCM" . }}
|
||||
{{- end }}
|
||||
{{- if .Values.extraVolumes }}
|
||||
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
|
||||
{{- end }}
|
||||
@@ -0,0 +1,76 @@
|
||||
{{- if .Values.ingress.enabled }}
|
||||
{{- if .Values.ingress.secrets }}
|
||||
{{- range .Values.ingress.secrets }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ .name }}
|
||||
namespace: {{ $.Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" $ | nindent 4 }}
|
||||
{{- if $.Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $.Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
tls.crt: {{ .certificate | b64enc }}
|
||||
tls.key: {{ .key | b64enc }}
|
||||
---
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if and .Values.ingress.tls .Values.ingress.selfSigned }}
|
||||
{{- $ca := genCA "keycloak-ca" 365 }}
|
||||
{{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ printf "%s-tls" .Values.ingress.hostname }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
tls.crt: {{ $cert.Cert | b64enc | quote }}
|
||||
tls.key: {{ $cert.Key | b64enc | quote }}
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
---
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if (include "keycloak.createTlsSecret" $) }}
|
||||
{{- $ca := genCA "keycloak-ca" 365 }}
|
||||
{{- $releaseNamespace := .Release.Namespace }}
|
||||
{{- $clusterDomain := .Values.clusterDomain }}
|
||||
{{- $fullname := include "keycloak.fullname" . }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ printf "%s-crt" (include "common.names.fullname" .) }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels: {{- include "common.labels.standard" . | nindent 4 }}
|
||||
app.kubernetes.io/component: keycloak
|
||||
{{- if .Values.commonLabels }}
|
||||
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if .Values.commonAnnotations }}
|
||||
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
|
||||
{{- end }}
|
||||
type: Opaque
|
||||
data:
|
||||
{{- $replicaCount := int .Values.replicaCount }}
|
||||
{{- range $i := until $replicaCount }}
|
||||
{{- $replicaHost := printf "%s-%d.%s-headless" $fullname $i $fullname }}
|
||||
{{- $altNames := list (printf "%s.%s.svc.%s" $replicaHost $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s" $replicaHost $releaseNamespace) (printf "%s.%s" $fullname $releaseNamespace) $replicaHost $fullname }}
|
||||
{{- $crt := genSignedCert $replicaHost nil $altNames 365 $ca }}
|
||||
keycloak-{{ $i }}.crt: {{ $crt.Cert | b64enc | quote }}
|
||||
keycloak-{{ $i }}.key: {{ $crt.Key | b64enc | quote }}
|
||||
{{- end }}
|
||||
ca.crt: {{ $ca.Cert | b64enc | quote }}
|
||||
{{- end }}
|
||||
|
||||
Reference in New Issue
Block a user