sa_8001/dsk-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ansible role update

Browse Source
This commit is contained in:
havelight-ee
2022-12-09 13:38:44 +09:00
parent 8391ca915d
commit 3af7e034fc
890 changed files with 79234 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
ansible/roles/helm_install/files/keycloak/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,76 @@
CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}
** Please be patient while the chart is being deployed **
Keycloak can be accessed through the following DNS name from within your cluster:
{{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} (port {{ coalesce .Values.service.ports.http .Values.service.port }})
To access Keycloak from outside the cluster execute the following commands:
{{- if .Values.ingress.enabled }}
1. Get the Keycloak URL and associate its hostname to your cluster external IP:
export CLUSTER_IP=$(minikube ip) # On Minikube. Use: `kubectl cluster-info` on others K8s clusters
echo "Keycloak URL: http{{ if .Values.ingress.tls }}s{{ end }}://{{ .Values.ingress.hostname }}/auth"
echo "$CLUSTER_IP {{ .Values.ingress.hostname }}" | sudo tee -a /etc/hosts
{{- else }}
1. Get the Keycloak URL by running these commands:
{{- if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo "http://${NODE_IP}:${NODE_PORT}/auth"
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "common.names.fullname" . }}'
export SERVICE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].port}" services {{ include "common.names.fullname" . }})
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
echo "http://${SERVICE_IP}:${SERVICE_PORT}/auth"
{{- else if contains "ClusterIP" .Values.service.type }}
export SERVICE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].port}" services {{ include "common.names.fullname" . }})
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "common.names.fullname" . }} ${SERVICE_PORT}:${SERVICE_PORT} &
echo "http://127.0.0.1:${SERVICE_PORT}/auth"
{{- end }}
{{- end }}
2. Access Keycloak using the obtained URL.
{{- if .Values.auth.createAdminUser }}
3. Access the Administration Console using the following credentials:
echo Username: {{ .Values.auth.adminUser }}
{{- if not .Values.auth.existingSecretPerPassword }}
echo Password: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecret "context" $) }} -o jsonpath="{.data.admin-password}" | base64 --decode)
{{- else }}
echo Password: $(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.adminPassword "context" $) }} -o jsonpath="\{ {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "adminPassword") }} \}" | base64 --decode)
{{- end }}
{{- end }}
{{- if .Values.metrics.enabled }}
You can access the Prometheus metrics following the steps below:
1. Get the Keycloak Prometheus metrics URL by running:
{{- $metricsPort := coalesce .Values.metrics.service.ports.http .Values.metrics.service.port | toString }}
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ printf "%s-metrics" (include "keycloak.fullname" .) }} {{ $metricsPort }}:{{ $metricsPort }} &
echo "Keycloak Prometheus metrics URL: http://127.0.0.1:{{ $metricsPort }}/metrics"
2. Open a browser and access Keycloak Prometheus metrics using the obtained URL.
{{- end }}
{{- include "keycloak.validateValues" . }}
{{- include "common.warnings.rollingTag" .Values.image }}
{{- include "common.warnings.rollingTag" .Values.keycloakConfigCli.image }}

273
ansible/roles/helm_install/files/keycloak/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,273 @@
{{/*
Create a default fully qualified app name.
We truncate at 20 chars since the node identifier in WildFly is limited to
23 characters. This allows for a replica suffix for up to 99 replicas.
If release name contains chart name it will be used as a full name.
*/}}
{{- define "keycloak.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 20 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 20 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 20 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper Keycloak image name
*/}}
{{- define "keycloak.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper keycloak-config-cli image name
*/}}
{{- define "keycloak.keycloakConfigCli.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.keycloakConfigCli.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the keycloak-config-cli configuration configmap.
*/}}
{{- define "keycloak.keycloakConfigCli.configmapName" -}}
{{- if .Values.keycloakConfigCli.existingConfigmap -}}
{{- printf "%s" (tpl .Values.keycloakConfigCli.existingConfigmap $) -}}
{{- else -}}
{{- printf "%s-keycloak-config-cli-configmap" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a configmap object should be created for keycloak-config-cli
*/}}
{{- define "keycloak.keycloakConfigCli.createConfigmap" -}}
{{- if and .Values.keycloakConfigCli.enabled .Values.keycloakConfigCli.configuration (not .Values.keycloakConfigCli.existingConfigmap) -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "keycloak.imagePullSecrets" -}}
{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.keycloakConfigCli.image) "global" .Values.global) -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "keycloak.postgresql.fullname" -}}
{{- include "common.names.dependency.fullname" (dict "chartName" "postgresql" "chartValues" .Values.postgresql "context" $) -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "keycloak.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "keycloak.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the Keycloak configuration configmap
*/}}
{{- define "keycloak.configmapName" -}}
{{- if .Values.existingConfigmap -}}
{{- printf "%s" (tpl .Values.existingConfigmap $) -}}
{{- else -}}
{{- printf "%s-configuration" (include "keycloak.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a configmap object should be created
*/}}
{{- define "keycloak.createConfigmap" -}}
{{- if and .Values.configuration (not .Values.existingConfigmap) }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the Database hostname
*/}}
{{- define "keycloak.databaseHost" -}}
{{- ternary (include "keycloak.postgresql.fullname" .) .Values.externalDatabase.host .Values.postgresql.enabled -}}
{{- end -}}
{{/*
Return the Database port
*/}}
{{- define "keycloak.databasePort" -}}
{{- ternary "5432" .Values.externalDatabase.port .Values.postgresql.enabled | quote -}}
{{- end -}}
{{/*
Return the Database database name
*/}}
{{- define "keycloak.databaseName" -}}
{{- if .Values.postgresql.enabled }}
{{- if .Values.global.postgresql }}
{{- if .Values.global.postgresql.auth }}
{{- coalesce .Values.global.postgresql.auth.database .Values.postgresql.auth.database -}}
{{- else -}}
{{- .Values.postgresql.auth.database -}}
{{- end -}}
{{- else -}}
{{- .Values.postgresql.auth.database -}}
{{- end -}}
{{- else -}}
{{- .Values.externalDatabase.database -}}
{{- end -}}
{{- end -}}
{{/*
Return the Database user
*/}}
{{- define "keycloak.databaseUser" -}}
{{- if .Values.postgresql.enabled }}
{{- if .Values.global.postgresql }}
{{- if .Values.global.postgresql.auth }}
{{- coalesce .Values.global.postgresql.auth.username .Values.postgresql.auth.username -}}
{{- else -}}
{{- .Values.postgresql.auth.username -}}
{{- end -}}
{{- else -}}
{{- .Values.postgresql.auth.username -}}
{{- end -}}
{{- else -}}
{{- .Values.externalDatabase.user -}}
{{- end -}}
{{- end -}}
{{/*
Return the Database encrypted password
*/}}
{{- define "keycloak.databaseSecretName" -}}
{{- if .Values.postgresql.enabled }}
{{- if .Values.global.postgresql }}
{{- if .Values.global.postgresql.auth }}
{{- if .Values.global.postgresql.auth.existingSecret }}
{{- tpl .Values.global.postgresql.auth.existingSecret $ -}}
{{- else -}}
{{- default (include "keycloak.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecret $) -}}
{{- end -}}
{{- else -}}
{{- default (include "keycloak.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecret $) -}}
{{- end -}}
{{- else -}}
{{- default (include "keycloak.postgresql.fullname" .) (tpl .Values.postgresql.auth.existingSecret $) -}}
{{- end -}}
{{- else -}}
{{- default (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecret "context" $)) (tpl .Values.externalDatabase.existingSecret $) -}}
{{- end -}}
{{- end -}}
{{/*
Add environment variables to configure database values
*/}}
{{- define "keycloak.databaseSecretKey" -}}
{{- if .Values.postgresql.enabled -}}
{{- print "password" -}}
{{- else -}}
{{- if .Values.externalDatabase.existingSecret -}}
{{- if .Values.externalDatabase.existingSecretPasswordKey -}}
{{- printf "%s" .Values.externalDatabase.existingSecretPasswordKey -}}
{{- else -}}
{{- print "password" -}}
{{- end -}}
{{- else -}}
{{- print "password" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Return the Keycloak initdb scripts configmap
*/}}
{{- define "keycloak.initdbScriptsCM" -}}
{{- if .Values.initdbScriptsConfigMap -}}
{{- printf "%s" .Values.initdbScriptsConfigMap -}}
{{- else -}}
{{- printf "%s-init-scripts" (include "keycloak.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return the secret containing AppName TLS certificates
*/}}
{{- define "keycloak.tlsSecretName" -}}
{{- $secretName := coalesce .Values.auth.tls.existingSecret .Values.auth.tls.jksSecret -}}
{{- if $secretName -}}
{{- printf "%s" (tpl $secretName $) -}}
{{- else -}}
{{- printf "%s-crt" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a TLS secret object should be created
*/}}
{{- define "keycloak.createTlsSecret" -}}
{{- if and .Values.auth.tls.enabled .Values.auth.tls.autoGenerated (not .Values.auth.tls.existingSecret) (not .Values.auth.tls.jksSecret) }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Compile all warnings into a single message.
*/}}
{{- define "keycloak.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "keycloak.validateValues.replicaCount" .) -}}
{{- $messages := append $messages (include "keycloak.validateValues.database" .) -}}
{{- $messages := append $messages (include "keycloak.validateValues.auth.tls" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
{{- end -}}
{{- end -}}
{{/* Validate values of Keycloak - number of replicas */}}
{{- define "keycloak.validateValues.replicaCount" -}}
{{- $replicaCount := int .Values.replicaCount }}
{{- if and (not .Values.serviceDiscovery.enabled) (gt $replicaCount 1) -}}
keycloak: replicaCount
You need to configure the ServiceDiscovery settings to run more than 1 replica.
Enable the Service Discovery (--set serviceDiscovery.enabled=true) and
set the Service Discovery protocol (--set serviceDiscovery.protocol="FOO") and
the Service Discovery properties (--set serviceDiscovery.properties[0]="BAR") if needed.
{{- end -}}
{{- end -}}
{{/* Validate values of Keycloak - database */}}
{{- define "keycloak.validateValues.database" -}}
{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.host) (not .Values.externalDatabase.existingSecret) -}}
keycloak: database
You disabled the PostgreSQL sub-chart but did not specify an external PostgreSQL host.
Either deploy the PostgreSQL sub-chart (--set postgresql.enabled=true),
or set a value for the external database host (--set externalDatabase.host=FOO)
or set a value for the external database existing secret (--set externalDatabase.existingSecret=BAR).
{{- end -}}
{{- end -}}
{{/* Validate values of Keycloak - Auth TLS enabled */}}
{{- define "keycloak.validateValues.auth.tls" -}}
{{- if and .Values.auth.tls.enabled (not .Values.auth.tls.autoGenerated) (not .Values.auth.tls.existingSecret) (not .Values.auth.tls.jksSecret) }}
keycloak: auth.tls.enabled
In order to enable TLS, you also need to provide
an existing secret containing the Keystore and Truststore or
enable auto-generated certificates.
{{- end -}}
{{- end -}}

37
ansible/roles/helm_install/files/keycloak/templates/configmap-env-vars.yaml Normal file
View File

@@ -0,0 +1,37 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-env-vars" (include "keycloak.fullname" .) }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
KEYCLOAK_CREATE_ADMIN_USER: {{ ternary "true" "false" .Values.auth.createAdminUser | quote }}
KEYCLOAK_ADMIN_USER: {{ .Values.auth.adminUser | quote }}
KEYCLOAK_MANAGEMENT_USER: {{ .Values.auth.managementUser | quote }}
KEYCLOAK_HTTP_PORT: {{ .Values.containerPorts.http | quote }}
KEYCLOAK_PROXY_ADDRESS_FORWARDING: {{ ternary "true" "false" .Values.proxyAddressForwarding | quote }}
KEYCLOAK_ENABLE_STATISTICS: {{ ternary "true" "false" .Values.metrics.enabled | quote }}
KEYCLOAK_DATABASE_HOST: {{ include "keycloak.databaseHost" . | quote }}
KEYCLOAK_DATABASE_PORT: {{ include "keycloak.databasePort" . }}
KEYCLOAK_DATABASE_NAME: {{ include "keycloak.databaseName" . | quote }}
KEYCLOAK_DATABASE_USER: {{ include "keycloak.databaseUser" . | quote }}
{{- if .Values.serviceDiscovery.enabled }}
KEYCLOAK_JGROUPS_DISCOVERY_PROTOCOL: {{ .Values.serviceDiscovery.protocol | quote }}
KEYCLOAK_JGROUPS_DISCOVERY_PROPERTIES: {{ (tpl (join "," .Values.serviceDiscovery.properties) $) | quote }}
KEYCLOAK_JGROUPS_TRANSPORT_STACK: {{ .Values.serviceDiscovery.transportStack | quote }}
{{- end }}
KEYCLOAK_CACHE_OWNERS_COUNT: {{ .Values.cache.ownersCount | quote }}
KEYCLOAK_AUTH_CACHE_OWNERS_COUNT: {{ .Values.cache.authOwnersCount | quote }}
KEYCLOAK_ENABLE_TLS: {{ ternary "true" "false" .Values.auth.tls.enabled | quote }}
{{- if .Values.auth.tls.enabled }}
KEYCLOAK_HTTPS_PORT: {{ .Values.containerPorts.https | quote }}
KEYCLOAK_TLS_KEYSTORE_FILE: "/opt/bitnami/keycloak/certs/keycloak.keystore.jks"
KEYCLOAK_TLS_TRUSTSTORE_FILE: "/opt/bitnami/keycloak/certs/keycloak.truststore.jks"
{{- end }}

18
ansible/roles/helm_install/files/keycloak/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,18 @@
{{- if (include "keycloak.createConfigmap" .) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-configuration" (include "keycloak.fullname" .) }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
standalone-ha.xml: |-
{{- .Values.configuration | nindent 4 }}
{{- end }}

4
ansible/roles/helm_install/files/keycloak/templates/extra-list.yaml Normal file
View File

@@ -0,0 +1,4 @@
{{- range .Values.extraDeploy }}
---
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
{{- end }}

30
ansible/roles/helm_install/files/keycloak/templates/headless-service.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-headless" (include "keycloak.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
clusterIP: None
ports:
- name: http
port: {{ coalesce .Values.service.ports.http .Values.service.port }}
protocol: TCP
targetPort: http
{{- if .Values.auth.tls.enabled }}
- name: https
port: {{ coalesce .Values.service.ports.https .Values.service.httpsPort }}
protocol: TCP
targetPort: https
{{- end }}
publishNotReadyAddresses: true
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: keycloak

35
ansible/roles/helm_install/files/keycloak/templates/hpa.yaml Normal file
View File

@@ -0,0 +1,35 @@
{{- if .Values.autoscaling.enabled }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ template "keycloak.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
scaleTargetRef:
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
kind: StatefulSet
name: {{ template "keycloak.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPU }}
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.autoscaling.targetCPU }}
{{- end }}
{{- if .Values.autoscaling.targetMemory }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ .Values.autoscaling.targetMemory }}
{{- end }}
{{- end }}

58
ansible/roles/helm_install/files/keycloak/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,58 @@
{{- if .Values.ingress.enabled }}
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ include "keycloak.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.ingress.annotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.ingress.annotations "context" $) | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
{{- end }}
rules:
{{- if .Values.ingress.hostname }}
- host: {{ .Values.ingress.hostname | quote }}
http:
paths:
{{- if .Values.ingress.extraPaths }}
{{- toYaml .Values.ingress.extraPaths | nindent 10 }}
{{- end }}
- path: {{ .Values.ingress.path }}
{{- if eq "true" (include "common.ingress.supportsPathType" .) }}
pathType: {{ .Values.ingress.pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "keycloak.fullname" .) "servicePort" .Values.ingress.servicePort "context" $) | nindent 14 }}
{{- end }}
{{- range .Values.ingress.extraHosts }}
- host: {{ .name }}
http:
paths:
- path: {{ default "/" .path }}
{{- if eq "true" (include "common.ingress.supportsPathType" $) }}
pathType: {{ default "ImplementationSpecific" .pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "keycloak.fullname" $) "servicePort" $.Values.ingress.servicePort "context" $) | nindent 14 }}
{{- end }}
{{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned)) .Values.ingress.extraTls }}
tls:
{{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned) }}
- hosts:
- {{ .Values.ingress.hostname | quote }}
secretName: {{ printf "%s-tls" .Values.ingress.hostname }}
{{- end }}
{{- if .Values.ingress.extraTls }}
{{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

17
ansible/roles/helm_install/files/keycloak/templates/init-scripts-configmap.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if and .Values.initdbScripts (not .Values.initdbScriptsConfigMap) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ printf "%s-init-scripts" (include "keycloak.fullname" .) }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
{{- include "common.tplvalues.render" (dict "value" .Values.initdbScripts "context" .) | nindent 2 }}
{{ end }}

21
ansible/roles/helm_install/files/keycloak/templates/keycloak-config-cli-configmap.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if (include "keycloak.keycloakConfigCli.createConfigmap" .) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "keycloak.keycloakConfigCli.configmapName" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak-config-cli
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
data:
{{- range $fileName, $fileContent := .Values.keycloakConfigCli.configuration }}
{{- if $fileContent }}
{{ $fileName }}: |
{{- include "common.tplvalues.render" (dict "value" $fileContent "context" $) | nindent 4 }}
{{- else }}
{{- ($.Files.Glob $fileName).AsConfig | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}

120
ansible/roles/helm_install/files/keycloak/templates/keycloak-config-cli-job.yaml Normal file
View File

@@ -0,0 +1,120 @@
{{- if .Values.keycloakConfigCli.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "keycloak.fullname" . }}-keycloak-config-cli
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak-config-cli
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
annotations:
{{- include "common.tplvalues.render" ( dict "value" .Values.keycloakConfigCli.annotations "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
backoffLimit: {{ .Values.keycloakConfigCli.backoffLimit }}
template:
metadata:
labels: {{- include "common.labels.standard" . | nindent 8 }}
app.kubernetes.io/component: keycloak-config-cli
{{- if .Values.keycloakConfigCli.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.podLabels "context" $) | nindent 8 }}
{{- end }}
annotations:
{{- if (include "keycloak.keycloakConfigCli.createConfigmap" .) }}
checksum/configuration: {{ include (print $.Template.BasePath "/keycloak-config-cli-configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.keycloakConfigCli.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ template "keycloak.serviceAccountName" . }}
{{- include "keycloak.imagePullSecrets" . | nindent 6 }}
restartPolicy: Never
{{- if .Values.keycloakConfigCli.podSecurityContext.enabled }}
securityContext: {{- omit .Values.keycloakConfigCli.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
{{- if .Values.keycloakConfigCli.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.hostAliases "context" $) | nindent 8 }}
{{- end }}
containers:
- name: keycloak-config-cli
image: {{ template "keycloak.keycloakConfigCli.image" . }}
imagePullPolicy: {{ .Values.keycloakConfigCli.image.pullPolicy }}
{{- if .Values.keycloakConfigCli.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.command "context" $) | nindent 12 }}
{{- else }}
command:
- java
- -jar
- {{ printf "/opt/bitnami/keycloak-config-cli/keycloak-config-cli-%s.jar" .Chart.AppVersion }}
{{- end }}
{{- if .Values.keycloakConfigCli.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.args "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.keycloakConfigCli.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.keycloakConfigCli.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
env:
- name: KEYCLOAK_URL
value: {{ printf "http://%s-headless:%d/auth" (include "keycloak.fullname" .) (.Values.containerPorts.http | int) }}
- name: KEYCLOAK_USER
value: {{ .Values.auth.adminUser | quote }}
- name: KEYCLOAK_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.auth.existingSecretPerPassword }}
name: {{ include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.adminPassword "context" $) }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "adminPassword") }}
{{- else }}
name: {{ include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecret "context" $) }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecret "key" "admin-password") }}
{{- end }}
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap }}
- name: IMPORT_PATH
value: /config/
{{- end }}
- name: KEYCLOAK_AVAILABILITYCHECK_ENABLED
value: "true"
{{- if .Values.keycloakConfigCli.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
{{- if or .Values.keycloakConfigCli.extraEnvVarsCM .Values.keycloakConfigCli.extraEnvVarsSecret }}
envFrom:
{{- if .Values.keycloakConfigCli.extraEnvVarsCM }}
- configMapRef:
name: {{ .Values.keycloakConfigCli.extraEnvVarsCM }}
{{- end }}
{{- if .Values.keycloakConfigCli.extraEnvVarsSecret }}
- secretRef:
name: {{ .Values.keycloakConfigCli.extraEnvVarsSecret }}
{{- end }}
{{- end }}
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap .Values.keycloakConfigCli.extraVolumeMounts }}
volumeMounts:
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap }}
- name: config-volume
mountPath: /config
{{- end }}
{{- if .Values.keycloakConfigCli.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- end }}
{{- if .Values.keycloakConfigCli.resources }}
resources: {{- toYaml .Values.keycloakConfigCli.resources | nindent 12 }}
{{- end }}
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap .Values.keycloakConfigCli.extraVolumes }}
volumes:
{{- if or .Values.keycloakConfigCli.configuration .Values.keycloakConfigCli.existingConfigmap }}
- name: config-volume
configMap:
name: {{ include "keycloak.keycloakConfigCli.configmapName" . }}
{{- end }}
{{- if .Values.keycloakConfigCli.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.keycloakConfigCli.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

30
ansible/roles/helm_install/files/keycloak/templates/metrics-service.yaml Normal file
View File

@@ -0,0 +1,30 @@
{{- if .Values.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-metrics" (include "keycloak.fullname" .) }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: metrics
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or .Values.metrics.service.annotations .Values.commonAnnotations }}
annotations:
{{- if .Values.metrics.service.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: ClusterIP
ports:
- name: http-management
port: {{ coalesce .Values.metrics.service.ports.http .Values.metrics.service.port }}
protocol: TCP
targetPort: http-management
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- end }}

39
ansible/roles/helm_install/files/keycloak/templates/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,39 @@
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: {{ template "keycloak.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
podSelector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
ingress:
- ports:
- port: {{ .Values.containerPorts.http }}
{{- if .Values.auth.tls.enabled }}
- port: {{ .Values.containerPorts.https }}
{{- end }}
{{- if .Values.metrics.enabled }}
- port: {{ .Values.containerPorts.management }}
{{- end }}
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels:
{{ template "keycloak.fullname" . }}-client: "true"
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }}
app.kubernetes.io/component: keycloak
{{- if .Values.networkPolicy.additionalRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.additionalRules "context" $) | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

25
ansible/roles/helm_install/files/keycloak/templates/pdb.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if .Values.pdb.create }}
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ template "keycloak.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.pdb.minAvailable }}
minAvailable: {{ .Values.pdb.minAvailable }}
{{- end }}
{{- if .Values.pdb.maxUnavailable }}
maxUnavailable: {{ .Values.pdb.maxUnavailable }}
{{- end }}
selector:
matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: keycloak
{{- end }}

26
ansible/roles/helm_install/files/keycloak/templates/role.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
kind: Role
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
metadata:
name: {{ template "keycloak.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
rules:
{{- if .Values.rbac.rules }}
{{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }}
{{- end }}
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
{{- end }}

23
ansible/roles/helm_install/files/keycloak/templates/rolebinding.yaml Normal file
View File

@@ -0,0 +1,23 @@
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
kind: RoleBinding
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
metadata:
name: {{ template "keycloak.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "keycloak.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "keycloak.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

31
ansible/roles/helm_install/files/keycloak/templates/secrets.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- if and (not .Values.auth.existingSecret) (not .Values.auth.existingSecretPerPassword) }}
{{- $secretName := include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecret "context" $)}}
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
admin-password: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "admin-password" "length" 10 "providedValues" (list "auth.adminPassword") "context" $) }}
management-password: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "management-password" "providedValues" (list "auth.managementPassword") "context" $) }}
{{- if and (not .Values.postgresql.enabled) (not .Values.externalDatabase.existingSecret) }}
password: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "password" "length" 10 "providedValues" (list "externalDatabase.password") "context" $) }}
{{- end }}
{{- if .Values.auth.tls.enabled }}
{{- if or .Values.auth.tls.keystorePassword .Values.auth.tls.autoGenerated .Values.auth.tls.usePem }}
tls-keystore-password: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "tls-keystore-password" "length" 10 "providedValues" (list "auth.tls.keystorePassword") "context" $) }}
{{- end }}
{{- if or .Values.auth.tls.truststorePassword .Values.auth.tls.autoGenerated .Values.auth.tls.usePem }}
tls-truestore-password: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "tls-truestore-password" "length" 10 "providedValues" (list "auth.tls.truststorePassword") "context" $) }}
{{- end }}
{{- end }}
{{- end }}

59
ansible/roles/helm_install/files/keycloak/templates/service.yaml Normal file
View File

@@ -0,0 +1,59 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "keycloak.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or .Values.service.annotations .Values.commonAnnotations }}
annotations:
{{- if .Values.service.annotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.service.annotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.service.type }}
sessionAffinity: {{ .Values.service.sessionAffinity }}
{{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }}
clusterIP: {{ .Values.service.clusterIP }}
{{- end }}
{{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }}
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if eq .Values.service.type "LoadBalancer" }}
loadBalancerSourceRanges:
{{ toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }}
{{- if not (empty .Values.service.loadBalancerIP) }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
{{- end }}
ports:
- name: http
port: {{ coalesce .Values.service.ports.http .Values.service.port }}
protocol: TCP
targetPort: http
{{- if (and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.http))) }}
nodePort: {{ .Values.service.nodePorts.http }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
- name: https
port: {{ coalesce .Values.service.ports.https .Values.service.httpsPort }}
protocol: TCP
targetPort: https
{{- if (and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.https))) }}
nodePort: {{ .Values.service.nodePorts.https }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- if .Values.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
selector: {{- include "common.labels.matchLabels" . | nindent 4 }}
app.kubernetes.io/component: keycloak

22
ansible/roles/helm_install/files/keycloak/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "keycloak.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
annotations:
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.serviceAccount.annotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.serviceAccount.annotations "context" $) | nindent 4 }}
{{- end }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}

48
ansible/roles/helm_install/files/keycloak/templates/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,48 @@
{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "keycloak.fullname" . }}
namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.metrics.serviceMonitor.labels }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.labels "context" $) | nindent 4 }}
{{- end }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.metrics.serviceMonitor.jobLabel }}
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
{{- end }}
endpoints:
- port: http-management
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabelings }}
relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.honorLabels }}
honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }}
{{- if .Values.metrics.serviceMonitor.selector }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
{{- end }}
app.kubernetes.io/component: metrics
{{- end }}

361
ansible/roles/helm_install/files/keycloak/templates/statefulset.yaml Normal file
View File

@@ -0,0 +1,361 @@
{{- $globalSecretName := printf "%s" (tpl (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecret "context" $)) $) }}
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: {{ template "keycloak.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
podManagementPolicy: {{ .Values.podManagementPolicy }}
serviceName: {{ printf "%s-headless" (include "keycloak.fullname" .) | trunc 63 | trimSuffix "-" }}
updateStrategy:
{{- include "common.tplvalues.render" (dict "value" .Values.updateStrategy "context" $ ) | nindent 4 }}
selector:
matchLabels: {{ include "common.labels.matchLabels" . | nindent 6 }}
app.kubernetes.io/component: keycloak
template:
metadata:
annotations:
checksum/configmap-env-vars: {{ include (print $.Template.BasePath "/configmap-env-vars.yaml") . | sha256sum }}
{{- if and (not .Values.auth.existingSecret) (not .Values.auth.existingSecretPerPassword) }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- end }}
{{- if (include "keycloak.createConfigmap" .) }}
checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
{{- end }}
labels: {{- include "common.labels.standard" . | nindent 8 }}
app.kubernetes.io/component: keycloak
{{- if .Values.podLabels }}
{{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ template "keycloak.serviceAccountName" . }}
{{- include "keycloak.imagePullSecrets" . | nindent 6 }}
{{- if .Values.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.affinity }}
affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.topologySpreadConstraints }}
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName | quote }}
{{- end }}
{{- if .Values.schedulerName }}
schedulerName: {{ .Values.schedulerName }}
{{- end }}
{{- if .Values.podSecurityContext.enabled }}
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
{{- if .Values.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- end }}
{{- if or .Values.initContainers .Values.auth.tls.enabled }}
initContainers:
{{- if .Values.auth.tls.enabled }}
{{- $fullname := include "keycloak.fullname" . }}
- name: init-certs
image: {{ include "keycloak.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
command:
- /bin/bash
- -ec
- |-
ID="${MY_POD_NAME#"{{ $fullname }}-"}"
{{- if or .Values.auth.tls.autoGenerated .Values.auth.tls.usePem }}
if [[ -f "/certs/keycloak-${ID}.key" ]] && [[ -f "/certs/keycloak-${ID}.crt" ]] && [[ -f "/certs/ca.crt" ]]; then
openssl pkcs12 -export -in "/certs/keycloak-${ID}.crt" \
-passout pass:"${KEYCLOAK_TLS_KEYSTORE_PASSWORD}" \
-inkey "/certs/keycloak-${ID}.key" \
-out "/tmp/keystore.p12"
keytool -importkeystore -srckeystore "/tmp/keystore.p12" \
-srcstoretype PKCS12 \
-srcstorepass "${KEYCLOAK_TLS_KEYSTORE_PASSWORD}" \
-deststorepass "${KEYCLOAK_TLS_KEYSTORE_PASSWORD}" \
-destkeystore "/opt/bitnami/keycloak/certs/keycloak.keystore.jks"
rm "/tmp/keystore.p12"
keytool -import -file "/certs/ca.crt" \
-keystore "/opt/bitnami/keycloak/certs/keycloak.truststore.jks" \
-storepass "${KEYCLOAK_TLS_TRUSTSTORE_PASSWORD}" \
-noprompt
else
echo "Couldn't find the expected PEM certificates! They are mandatory when encryption via TLS is enabled."
exit 1
fi
{{- else if and .Values.auth.tls.truststoreFilename .Values.auth.tls.keystoreFilename }}
if [[ -f {{ printf "/certs/%s" .Values.auth.tls.truststoreFilename | quote }} ]] && [[ -f {{ printf "/certs/%s" .Values.auth.tls.keystoreFilename | quote }} ]]; then
cp {{ printf "/certs/%s" .Values.auth.tls.truststoreFilename | quote }} "/opt/bitnami/keycloak/certs/keycloak.truststore.jks"
cp {{ printf "/certs/%s" .Values.auth.tls.keystoreFilename | quote }} "/opt/bitnami/keycloak/certs/keycloak.keystore.jks"
else
echo "Couldn't find the expected Java Key Stores (JKS) files! They are mandatory when encryption via TLS is enabled."
exit 1
fi
{{- else }}
if [[ -f "/certs/keycloak.truststore.jks" ]] && [[ -f "/certs/keycloak-${ID}.keystore.jks" ]]; then
cp "/certs/keycloak.truststore.jks" "/opt/bitnami/keycloak/certs/keycloak.truststore.jks"
cp "/certs/keycloak-${ID}.keystore.jks" "/opt/bitnami/keycloak/certs/keycloak.keystore.jks"
else
echo "Couldn't find the expected Java Key Stores (JKS) files! They are mandatory when encryption via TLS is enabled."
exit 1
fi
{{- end }}
env:
- name: MY_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
{{- if or .Values.auth.tls.keystorePassword .Values.auth.existingSecretPerPassword .Values.auth.tls.autoGenerated }}
- name: KEYCLOAK_TLS_KEYSTORE_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.auth.existingSecretPerPassword }}
name: {{ tpl (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.tlsKeystorePassword "context" $)) $ }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "tlsKeystorePassword") }}
{{- else }}
name: {{ $globalSecretName }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecret "key" "tls-keystore-password") }}
{{- end }}
{{- end }}
{{- if or .Values.auth.tls.truststorePassword .Values.auth.existingSecretPerPassword .Values.auth.tls.autoGenerated }}
- name: KEYCLOAK_TLS_TRUSTSTORE_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.auth.existingSecretPerPassword }}
name: {{ tpl (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.tlsTruststorePassword "context" $)) $ }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "tlsKeystorePassword") }}
{{- else }}
name: {{ $globalSecretName }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecret "key" "tls-truestore-password") }}
{{- end }}
{{- end }}
{{- if .Values.auth.tls.resources }}
resources: {{- toYaml .Values.auth.tls.resources | nindent 12 }}
{{- end }}
volumeMounts:
- name: certificates
mountPath: /certs
- name: shared-certs
mountPath: /opt/bitnami/keycloak/certs
{{- end }}
{{- if .Values.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
{{- end }}
{{- end }}
containers:
- name: keycloak
image: {{ template "keycloak.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
{{- else if .Values.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.diagnosticMode.enabled }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }}
{{- else if .Values.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }}
{{- end }}
env:
- name: KUBERNETES_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.image.debug | quote }}
- name: KEYCLOAK_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.auth.existingSecretPerPassword }}
name: {{ tpl (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.adminPassword "context" $)) $ }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "adminPassword") }}
{{- else }}
name: {{ $globalSecretName }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecret "key" "admin-password") }}
{{- end }}
- name: KEYCLOAK_MANAGEMENT_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.auth.existingSecretPerPassword }}
name: {{ tpl (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.managementPassword "context" $)) $ }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "managementPassword") }}
{{- else }}
name: {{ $globalSecretName }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecret "key" "management-password") }}
{{- end }}
- name: KEYCLOAK_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.auth.existingSecretPerPassword }}
name: {{ tpl (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.databasePassword "context" $)) $ }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "databasePassword") }}
{{- else }}
name: {{ include "keycloak.databaseSecretName" . }}
key: {{ include "keycloak.databaseSecretKey" . }}
{{- end }}
{{- if .Values.auth.tls.enabled }}
{{- if or .Values.auth.tls.keystorePassword .Values.auth.existingSecretPerPassword }}
- name: KEYCLOAK_TLS_KEYSTORE_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.auth.existingSecretPerPassword }}
name: {{ tpl (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.tlsKeystorePassword "context" $) $) }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "tlsKeystorePassword") }}
{{- else }}
name: {{ $globalSecretName }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecret "key" "tls-keystore-password") }}
{{- end }}
{{- end }}
{{- if or .Values.auth.tls.truststorePassword .Values.auth.existingSecretPerPassword }}
- name: KEYCLOAK_TLS_TRUSTSTORE_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.auth.existingSecretPerPassword }}
name: {{ tpl (include "common.secrets.name" (dict "existingSecret" .Values.auth.existingSecretPerPassword.tlsTruststorePassword "context" $) $) }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecretPerPassword "key" "tlsKeystorePassword") }}
{{- else }}
name: {{ $globalSecretName }}
key: {{ include "common.secrets.key" (dict "existingSecret" .Values.auth.existingSecret "key" "tls-truestore-password") }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.extraStartupArgs }}
- name: KEYCLOAK_EXTRA_ARGS
value: {{ .Values.extraStartupArgs | quote }}
{{- end }}
{{- if .Values.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
- configMapRef:
name: {{ printf "%s-env-vars" (include "keycloak.fullname" .) }}
{{- if .Values.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- if and .Values.externalDatabase.existingSecret (not .Values.postgresql.enabled) }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.externalDatabase.existingSecret "context" $) }}
{{- end }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- end }}
ports:
- name: http
containerPort: {{ .Values.containerPorts.http }}
protocol: TCP
- name: https
containerPort: {{ .Values.containerPorts.https }}
protocol: TCP
- name: http-management
containerPort: {{ .Values.containerPorts.management }}
protocol: TCP
{{- if not .Values.diagnosticMode.enabled }}
{{- if .Values.startupProbe.enabled }}
startupProbe: {{- omit .Values.startupProbe "enabled" | toYaml | nindent 12 }}
httpGet:
path: /auth/
port: http
{{- else if .Values.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.livenessProbe.enabled }}
livenessProbe: {{- omit .Values.livenessProbe "enabled" | toYaml | nindent 12 }}
httpGet:
path: /auth/
port: http
{{- else if .Values.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe: {{- omit .Values.readinessProbe "enabled" | toYaml | nindent 12 }}
httpGet:
path: /auth/realms/master
port: http
{{- else if .Values.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
{{- end }}
{{- end }}
volumeMounts:
{{- if or .Values.configuration .Values.existingConfigmap }}
- name: keycloak-config
mountPath: /bitnami/keycloak/configuration/standalone-ha.xml
subPath: standalone-ha.xml
{{- end }}
{{- if .Values.auth.tls.enabled }}
- name: shared-certs
mountPath: /opt/bitnami/keycloak/certs
readOnly: true
{{- end }}
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
mountPath: /docker-entrypoint-initdb.d
{{- end }}
{{- if .Values.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.sidecars }}
{{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
{{- if or .Values.configuration .Values.existingConfigmap }}
- name: keycloak-config
configMap:
name: {{ include "keycloak.configmapName" . }}
{{- end }}
{{- if .Values.auth.tls.enabled }}
- name: certificates
secret:
secretName: {{ include "keycloak.tlsSecretName" . }}
defaultMode: 420
- name: shared-certs
emptyDir: {}
{{- end }}
{{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }}
- name: custom-init-scripts
configMap:
name: {{ include "keycloak.initdbScriptsCM" . }}
{{- end }}
{{- if .Values.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
{{- end }}

76
ansible/roles/helm_install/files/keycloak/templates/tls-secret.yaml Normal file
View File

@@ -0,0 +1,76 @@
{{- if .Values.ingress.enabled }}
{{- if .Values.ingress.secrets }}
{{- range .Values.ingress.secrets }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .name }}
namespace: {{ $.Release.Namespace }}
labels: {{- include "common.labels.standard" $ | nindent 4 }}
{{- if $.Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if $.Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ .certificate | b64enc }}
tls.key: {{ .key | b64enc }}
---
{{- end }}
{{- end }}
{{- if and .Values.ingress.tls .Values.ingress.selfSigned }}
{{- $ca := genCA "keycloak-ca" 365 }}
{{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-tls" .Values.ingress.hostname }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ $cert.Cert | b64enc | quote }}
tls.key: {{ $cert.Key | b64enc | quote }}
ca.crt: {{ $ca.Cert | b64enc | quote }}
---
{{- end }}
{{- end }}
{{- if (include "keycloak.createTlsSecret" $) }}
{{- $ca := genCA "keycloak-ca" 365 }}
{{- $releaseNamespace := .Release.Namespace }}
{{- $clusterDomain := .Values.clusterDomain }}
{{- $fullname := include "keycloak.fullname" . }}
apiVersion: v1
kind: Secret
metadata:
name: {{ printf "%s-crt" (include "common.names.fullname" .) }}
namespace: {{ .Release.Namespace }}
labels: {{- include "common.labels.standard" . | nindent 4 }}
app.kubernetes.io/component: keycloak
{{- if .Values.commonLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- $replicaCount := int .Values.replicaCount }}
{{- range $i := until $replicaCount }}
{{- $replicaHost := printf "%s-%d.%s-headless" $fullname $i $fullname }}
{{- $altNames := list (printf "%s.%s.svc.%s" $replicaHost $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s" $replicaHost $releaseNamespace) (printf "%s.%s" $fullname $releaseNamespace) $replicaHost $fullname }}
{{- $crt := genSignedCert $replicaHost nil $altNames 365 $ca }}
keycloak-{{ $i }}.crt: {{ $crt.Cert | b64enc | quote }}
keycloak-{{ $i }}.key: {{ $crt.Key | b64enc | quote }}
{{- end }}
ca.crt: {{ $ca.Cert | b64enc | quote }}
{{- end }}