Closed fdarif closed 2 years ago
juan131
commented
2 years ago Hi @fayssaldarif
I'd like to reproduce the exact issue you're facing on my own environment. Could you please share the exact values you're using to install Keycloak? Could you also confirm if your certManager server did issue a valid certificate for your Keycloak endpoint (via Ingress)?
fdarif
commented
2 years ago Hi @juan131 Yes, I confirm that certManager did issue a valid certificate for my keycloak endpoint.
NAME READY SECRET AGE
keycloak.example.com-tls True keycloak.example.com-tls 20sHere you can find the values yaml file.
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
## @param global.imageRegistry Global Docker image registry
## @param global.imagePullSecrets Global Docker registry secret names as an array
## @param global.storageClass Global StorageClass for Persistent Volume(s)
##
global:
imageRegistry: ""
## E.g.
## imagePullSecrets:
## - myRegistryKeySecretName
##
imagePullSecrets: []
storageClass: ""
## @section Common parameters
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
##
kubeVersion: "1.21.0"
## @param nameOverride String to partially override keycloak.fullname
##
nameOverride: ""
## @param fullnameOverride String to fully override keycloak.fullname
##
fullnameOverride: ""
## @param hostAliases Add deployment host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
hostAliases: []
## @param commonLabels Labels to add to all deployed objects
##
commonLabels: {}
## @param commonAnnotations Annotations to add to all deployed objects
##
commonAnnotations: {}
## @param clusterDomain Default Kubernetes cluster domain
##
clusterDomain: cluster.local
## @param extraDeploy Array of extra objects to deploy with the release
##
extraDeploy: []
## @section Keycloak parameters
## Bitnami Keycloak image version
## ref: https://hub.docker.com/r/bitnami/keycloak/tags/
## @param image.registry Keycloak image registry
## @param image.repository Keycloak image repository
## @param image.tag Keycloak image tag (immutable tags are recommended)
## @param image.pullPolicy Keycloak image pull policy
## @param image.pullSecrets Specify docker-registry secret names as an array
## @param image.debug Specify if debug logs should be enabled
##
image:
registry: docker.io
repository: bitnami/keycloak
tag: 15.0.2-debian-10-r19
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## Example:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## Set to true if you would like to see extra information on logs
##
debug: false
## Keycloak authentication parameters
## ref: https://github.com/bitnami/bitnami-docker-keycloak#admin-credentials
##
auth:
## @param auth.createAdminUser Create administrator user on boot
##
createAdminUser: true
## @param auth.adminUser Keycloak administrator user
##
adminUser: keycloak
## @param auth.adminPassword Keycloak administrator password for the new user
##
adminPassword: ""
## @param auth.managementUser Wildfly management user
##
managementUser: manager
## @param auth.managementPassword Wildfly management password
##
managementPassword: ""
## @param auth.existingSecret An already existing secret containing auth info
## e.g:
## existingSecret:
## name: mySecret
## keyMapping:
## admin-password: myPasswordKey
## management-password: myManagementPasswordKey
## database-password: myDatabasePasswordKey
## tls-keystore-password: myTlsKeystorePasswordKey
## tls-truestore-password: myTlsTruestorePasswordKey
##
existingSecret: ""
## @param auth.existingSecretPerPassword Override `existingSecret` and other secret values
## e.g:
## existingSecretPerPassword:
## keyMapping:
## adminPassword: KEYCLOAK_ADMIN_PASSWORD
## managementPassword: KEYCLOAK_MANAGEMENT_PASSWORD
## databasePassword: password
## tlsKeystorePassword: JKS_KEYSTORE_TRUSTSTORE_PASSWORD
## tlsTruststorePassword: JKS_KEYSTORE_TRUSTSTORE_PASSWORD
## adminPassword:
## name: keycloak-test2.credentials ## release-name
## managementPassword:
## name: keycloak-test2.credentials
## databasePassword:
## name: keycloak.pocwatt-keycloak-cluster.credentials
## tlsKeystorePassword:
## name: keycloak-test2.credentials
## tlsTruststorePassword:
## name: keycloak-test2.credentials
##
existingSecretPerPassword: {}
## TLS encryption parameters
## ref: https://github.com/bitnami/bitnami-docker-keycloak#tls-encryption
##
tls:
## @param auth.tls.enabled Enable TLS encryption
##
enabled: false
## @param auth.tls.autoGenerated Generate automatically self-signed TLS certificates. Currently only supports PEM certificates
##
autoGenerated: false
## @param auth.tls.existingSecret Existing secret containing the TLS certificates per Keycloak replica
## Create this secret following the steps below:
## 1) Generate your trustore and keystore files (more info at https://www.keycloak.org/docs/latest/server_installation/#_setting_up_ssl)
## 2) Rename your truststore to `keycloak.truststore.jks`.
## 3) Rename your keystores to `keycloak-X.keystore.jks` where X is the ID of each Keycloak replica
## 4) Run the command below where SECRET_NAME is the name of the secret you want to create:
## kubectl create secret generic SECRET_NAME --from-file=./keycloak.truststore.jks --from-file=./keycloak-0.keystore.jks --from-file=./keycloak-1.keystore.jks ...
##
existingSecret: ""
## @param auth.tls.truststoreFilename Truststore specific filename inside the existing secret
## Note: Setting up this value, you will use the same trustore file in all the replicas
##
truststoreFilename: ""
## @param auth.tls.keystoreFilename Keystore specific filename inside the existing secret
## Note: Setting up this value, you will use the same trustore file in all the replicas
##
keystoreFilename: ""
## @param auth.tls.jksSecret DEPRECATED. Use `auth.tls.existingSecret` instead
##
jksSecret: ""
## @param auth.tls.keystorePassword Password to access the keystore when it's password-protected
##
keystorePassword: ""
## @param auth.tls.truststorePassword Password to access the truststore when it's password-protected
##
truststorePassword: ""
## Init containers' resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
## @param auth.tls.resources.limits The resources limits for the TLS init container
## @param auth.tls.resources.requests The requested resources for the TLS init container
##
resources:
## Example:
## limits:
## cpu: 100m
## memory: 128Mi
limits: {}
## Examples:
## requests:
## cpu: 100m
## memory: 128Mi
requests: {}
## @param proxyAddressForwarding Enable Proxy Address Forwarding
## ref: https://www.keycloak.org/docs/latest/server_installation/#_setting-up-a-load-balancer-or-proxy
##
proxyAddressForwarding: false
## Keycloak Service Discovery settings
## ref: https://github.com/bitnami/bitnami-docker-keycloak#cluster-configuration
##
serviceDiscovery:
## @param serviceDiscovery.enabled Enable Service Discovery for Keycloak (required if `replicaCount` > `1`)
##
enabled: false
## @param serviceDiscovery.protocol Sets the protocol that Keycloak nodes would use to discover new peers
## Available protocols can be found at http://www.jgroups.org/javadoc3/org/jgroups/protocols/
##
protocol: kubernetes.KUBE_PING
## @param serviceDiscovery.properties Properties for the discovery protocol set in `serviceDiscovery.protocol` parameter
## List of key=>value pairs
## Example:
## properties:
## - datasource_jndi_name=>"java:jboss/datasources/KeycloakDS"
## - initialize_sql=>"CREATE TABLE IF NOT EXISTS JGROUPSPING ( own_addr varchar(200) NOT NULL, cluster_name varchar(200) NOT NULL, created timestamp default current_timestamp, ping_data BYTEA, constraint PK_JGROUPSPING PRIMARY KEY (own_addr, cluster_name))"
##
properties: []
## @param serviceDiscovery.transportStack Transport stack for the discovery protocol set in `serviceDiscovery.protocol` parameter
##
transportStack: tcp
## Keycloak cache settings
## ref: https://github.com/bitnami/bitnami-docker-keycloak#cluster-configuration
##
cache:
## @param cache.ownersCount Number of nodes that will replicate cached data
##
ownersCount: 1
## @param cache.authOwnersCount Number of nodes that will replicate cached authentication data
##
authOwnersCount: 1
## @param configuration Keycloak Configuration. Auto-generated based on other parameters when not specified
## Specify content for standalone-ha.xml
## NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart)
## The standalone-ha.xml is auto-generated based on other parameters when this parameter is not specified
##
## Example:
## configuration: |-
## foo: bar
## baz:
##
configuration: ""
## @param existingConfigmap Name of existing ConfigMap with Keycloak configuration
## NOTE: When it's set the configuration parameter is ignored
##
existingConfigmap: ""
## @param extraStartupArgs Extra default startup args
##
extraStartupArgs: ""
## @param initdbScripts Dictionary of initdb scripts
## Specify dictionary of scripts to be run at first boot
## ref: https://github.com/bitnami/bitnami-docker-keycloak#initializing-a-new-instance
## Example:
## initdbScripts:
## my_init_script.sh: |
## #!/bin/bash
## echo "Do something."
##
initdbScripts: {}
## @param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`)
##
initdbScriptsConfigMap: ""
## @param command Override default container command (useful when using custom images)
##
command: []
## @param args Override default container args (useful when using custom images)
##
args: []
## @param extraEnvVars Extra environment variables to be set on Keycloak container
## Example:
## extraEnvVars:
## - name: FOO
## value: "bar"
##
extraEnvVars: []
## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars
##
extraEnvVarsCM: ""
## @param extraEnvVarsSecret Name of existing Secret containing extra env vars
##
extraEnvVarsSecret: ""
## @section keycloak-config-cli parameters
## Configuration for keycloak-config-cli
## ref: https://github.com/adorsys/keycloak-config-cli
##
keycloakConfigCli:
## @param keycloakConfigCli.enabled Whether to enable keycloak-config-cli
##
enabled: false
## Bitnami keycloak-config-cli image
## ref: https://hub.docker.com/r/bitnami/keycloak-config-cli/tags/
## @param keycloakConfigCli.image.registry keycloak-config-cli container image registry
## @param keycloakConfigCli.image.repository keycloak-config-cli container image repository
## @param keycloakConfigCli.image.tag keycloak-config-cli container image tag
## @param keycloakConfigCli.image.pullPolicy keycloak-config-cli container image pull policy
## @param keycloakConfigCli.image.pullSecrets keycloak-config-cli container image pull secrets
##
image:
registry: docker.io
repository: bitnami/keycloak-config-cli
tag: 4.2.0-debian-10-r29
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## e.g:
## pullSecrets:
## - myRegistryKeySecretName
##
pullSecrets: []
## @param keycloakConfigCli.annotations [objects] Annotations for keycloak-config-cli job
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
annotations:
helm.sh/hook: "post-install,post-upgrade,post-rollback"
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
helm.sh/hook-weight: "5"
## @param keycloakConfigCli.command Command for running the container (set to default if not set). Use array form
##
command: []
## @param keycloakConfigCli.args Args for running the container (set to default if not set). Use array form
##
args: []
## @param keycloakConfigCli.hostAliases Job pod host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
hostAliases: []
## Keycloak config CLI resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
## @param keycloakConfigCli.resources.limits The resources limits for the keycloak-config-cli container
## @param keycloakConfigCli.resources.requests The requested resources for the keycloak-config-cli container
##
resources:
## Example:
## limits:
## cpu: 200m
## memory: 256Mi
limits: {}
## Examples:
## requests:
## cpu: 200m
## memory: 10Mi
requests: {}
## keycloak-config-cli containers' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param keycloakConfigCli.containerSecurityContext.enabled Enabled keycloak-config-cli containers' Security Context
## @param keycloakConfigCli.containerSecurityContext.runAsUser Set keycloak-config-cli container's Security Context runAsUser
## @param keycloakConfigCli.containerSecurityContext.runAsNonRoot Set keycloak-config-cli container's Security Context runAsNonRoot
##
containerSecurityContext:
enabled: true
runAsUser: 1002
runAsNonRoot: true
## keycloak-config-cli pods' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param keycloakConfigCli.podSecurityContext.enabled Enabled keycloak-config-cli pods' Security Context
## @param keycloakConfigCli.podSecurityContext.fsGroup Set keycloak-config-cli pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroup: 1002
## @param keycloakConfigCli.backoffLimit Number of retries before considering a Job as failed
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy
##
backoffLimit: 1
## @param keycloakConfigCli.podLabels Pod extra labels
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
podLabels: {}
## @param keycloakConfigCli.podAnnotations Annotations for job pod
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## @param keycloakConfigCli.extraEnvVars Additional environment variables to set
## Example:
## extraEnvVars:
## - name: FOO
## value: "bar"
##
extraEnvVars: []
## @param keycloakConfigCli.extraEnvVarsCM ConfigMap with extra environment variables
##
extraEnvVarsCM: ""
## @param keycloakConfigCli.extraEnvVarsSecret Secret with extra environment variables
##
extraEnvVarsSecret: ""
## @param keycloakConfigCli.extraVolumes Extra volumes to add to the job
##
extraVolumes: []
## @param keycloakConfigCli.extraVolumeMounts Extra volume mounts to add to the container
##
extraVolumeMounts: []
## @param keycloakConfigCli.configuration keycloak-config-cli realms configuration
## NOTE: nil keys will be considered files to import locally
## Example:
## configuration:
## realm1.json: |
## {
## "realm": "realm1",
## "clients": []
## }
## files/realm2.yaml:
## realm3.yaml: |
## realm: realm3
## clients: []
##
configuration: {}
## @param keycloakConfigCli.existingConfigmap ConfigMap with keycloak-config-cli configuration. This will override `keycloakConfigCli.config`
## NOTE: This will override keycloakConfigCli.configuration
##
existingConfigmap: ""
## @section Keycloak deployment/statefulset parameters
## @param replicaCount Number of Keycloak replicas to deploy
##
replicaCount: 1
## @param containerPorts [object] Keycloak container ports to open
##
containerPorts:
http: 8080
https: 8443
## Keycloak containers' SecurityContext
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param podSecurityContext.enabled Enabled Keykloak pods' Security Context
## @param podSecurityContext.fsGroup Set Keykloak pod's Security Context fsGroup
##
podSecurityContext:
enabled: true
fsGroup: 1002
## Keycloak pods' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## @param containerSecurityContext.enabled Enabled Keykloak containers' Security Context
## @param containerSecurityContext.runAsUser Set Keykloak container's Security Context runAsUser
## @param containerSecurityContext.runAsNonRoot Set Keykloak container's Security Context runAsNonRoot
##
containerSecurityContext:
enabled: true
runAsUser: 1002
runAsNonRoot: true
## Keycloak resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
## @param resources.limits The resources limits for the Keycloak container
## @param resources.requests The requested resources for the Keycloak container
##
resources:
## Example:
limits:
cpu: 1.5
memory: 1536Mi
##
#limits: {}
## Examples:
requests:
cpu: 250m
memory: 256Mi
## Configure extra options for startup probe
## When enabling this, make sure to set initialDelaySeconds to 0 for livenessProbe and readinessProbe
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
## @param startupProbe.enabled Enable startupProbe
## @param startupProbe.httpGet.path Request path for startupProbe
## @param startupProbe.httpGet.port Port for startupProbe
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
## @param startupProbe.periodSeconds Period seconds for startupProbe
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
## @param startupProbe.failureThreshold Failure threshold for startupProbe
## @param startupProbe.successThreshold Success threshold for startupProbe
##
startupProbe:
enabled: false
httpGet:
path: /auth/
port: http
initialDelaySeconds: 30
periodSeconds: 5
timeoutSeconds: 1
failureThreshold: 60
successThreshold: 1
## Configure extra options for liveness probe
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
## @param livenessProbe.enabled Enable livenessProbe
## @param livenessProbe.httpGet.path Request path for livenessProbe
## @param livenessProbe.httpGet.port Port for livenessProbe
## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
## @param livenessProbe.periodSeconds Period seconds for livenessProbe
## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
## @param livenessProbe.successThreshold Success threshold for livenessProbe
##
livenessProbe:
enabled: true
httpGet:
path: /auth/
port: http
initialDelaySeconds: 300
periodSeconds: 1
timeoutSeconds: 5
failureThreshold: 3
successThreshold: 1
## Configure extra options for readiness probe
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
## @param readinessProbe.enabled Enable readinessProbe
## @param readinessProbe.httpGet.path Request path for readinessProbe
## @param readinessProbe.httpGet.port Port for readinessProbe
## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
## @param readinessProbe.periodSeconds Period seconds for readinessProbe
## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
## @param readinessProbe.successThreshold Success threshold for readinessProbe
##
readinessProbe:
enabled: true
httpGet:
path: /auth/realms/master
port: http
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
successThreshold: 1
## @param customStartupProbe Custom Startup probes for Keycloak
##
customStartupProbe: {}
## @param customLivenessProbe Custom Liveness probes for Keycloak
##
customLivenessProbe: {}
## @param customReadinessProbe Custom Rediness probes Keycloak
##
customReadinessProbe: {}
## Strategy to use to update Pods
##
updateStrategy:
## @param updateStrategy.type StrategyType
## Can be set to RollingUpdate or OnDelete
##
type: RollingUpdate
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAffinityPreset: ""
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAntiAffinityPreset: soft
## Node affinity preset
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
##
nodeAffinityPreset:
## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
##
type: ""
## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set.
## E.g.
## key: "kubernetes.io/e2e-az-name"
##
key: ""
## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
## E.g.
## values:
## - e2e-az1
## - e2e-az2
##
values: []
## @param affinity Affinity for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
##
affinity: {}
## @param nodeSelector Node labels for pod assignment
## ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## @param tolerations Tolerations for pod assignment
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## @param podLabels Extra labels for Keycloak pods
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
podLabels: {}
## @param podAnnotations Annotations for Keycloak pods
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## @param priorityClassName Keycloak pods' priority.
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
##
priorityClassName: ""
## @param lifecycleHooks LifecycleHooks to set additional configuration at startup
##
lifecycleHooks: {}
## @param extraVolumes Optionally specify extra list of additional volumes for Keycloak pods
##
extraVolumes: []
## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Keycloak container(s)
##
extraVolumeMounts: []
## @param initContainers Add additional init containers to the Keycloak pods
## Example:
## initContainers:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
initContainers: []
## @param sidecars Add additional sidecar containers to the Keycloak pods
## Example:
## sidecars:
## - name: your-image-name
## image: your-image
## imagePullPolicy: Always
## ports:
## - name: portname
## containerPort: 1234
##
sidecars: []
## @section Exposure parameters
## Service configuration
##
service:
## @param service.type Kubernetes service type
##
#type: LoadBalancer
type: ClusterIP
## @param service.port Service HTTP port
##
port: 80
## @param service.httpsPort HTTPS Port
##
httpsPort: 443
## @param service.nodePorts [object] Specify the nodePort values for the LoadBalancer and NodePort service types.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
##
nodePorts:
http: ""
https: ""
## @param service.clusterIP Keycloak service clusterIP IP
## e.g:
## clusterIP: None
##
clusterIP: ""
## @param service.loadBalancerIP loadBalancerIP for the SuiteCRM Service (optional, cloud specific)
## ref: http://kubernetes.io/docs/user-guide/services/#type-loadbalancer
##
loadBalancerIP: ""
## @param service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## Example:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
##
loadBalancerSourceRanges: []
## @param service.externalTrafficPolicy Enable client source IP preservation
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
##
externalTrafficPolicy: Cluster
## @param service.annotations Annotations for Keycloak service
##
annotations: {}
## Ingress configuration
##
ingress:
## @param ingress.enabled Enable ingress controller resource
##
enabled: true
## @param ingress.certManager Add annotations for cert-manager
##
certManager: true
## @param ingress.hostname Default host for the ingress resource
##
hostname: keycloak.example.com
## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
##
apiVersion: ""
## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
##
ingressClassName: ""
## @param ingress.path Ingress path
##
path: /
## @param ingress.pathType Ingress path type
##
pathType: ImplementationSpecific
#pathType: Prefix
## @param ingress.annotations Ingress annotations
## For a full list of possible ingress annotations, please see
## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md
##
## If certManager is set to true, annotation kubernetes.io/tls-acme: "true" will automatically be set
##
annotations:
cert-manager.io/acme-challenge-type: http01
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: nginx
## @param ingress.tls Enable TLS configuration for the hostname defined at `ingress.hostname` parameter
## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }}
## You can use the ingress.secrets parameter to create this TLS secret, relay on cert-manager to create it, or
## let the chart create self-signed certificates for you
##
tls: true
## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record.
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
## Example:
## extraHosts:
## - name: keycloak.local
## path: /
##
extraHosts: []
## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
## Example:
## extraTls:
## - hosts:
## - keycloak.local
## secretName: keycloak.local-tls
##
extraTls: []
## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
## key and certificate should start with -----BEGIN CERTIFICATE----- or -----BEGIN RSA PRIVATE KEY-----
## name should line up with a secretName set further up
##
## If it is not set and you're using cert-manager, this is unneeded, as it will create the secret for you
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created
## It is also possible to create and manage the certificates outside of this helm chart
## Please see README.md for more information
##
## Example
## secrets:
## - name: aspnet-core.local-tls
## key: ""
## certificate: ""
##
secrets: []
## @param ingress.existingSecret It is you own the certificate as secret.
existingSecret: ""
## @param ingress.servicePort Service port to be used
## Default is http. Alternative is https.
##
servicePort: http
## Network Policy configuration
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
## @param networkPolicy.enabled Enable the default NetworkPolicy policy
##
enabled: false
## @param networkPolicy.allowExternal Don't require client label for connections
## The Policy model to apply. When set to false, only pods with the correct
## client label will have network access to the ports Keycloak is listening
## on. When true, Keycloak will accept connections from any source
## (with the correct destination port).
##
allowExternal: true
## @param networkPolicy.additionalRules Additional NetworkPolicy rules
## Note that all rules are OR-ed.
## Example:
## additionalRules:
## - matchLabels:
## - role: frontend
## - matchExpressions:
## - key: role
## operator: In
## values:
## - frontend
##
additionalRules: {}
## @section RBAC parameters
## Specifies whether a ServiceAccount should be created
##
serviceAccount:
## @param serviceAccount.create Enable the creation of a ServiceAccount for Keycloak pods
##
create: true
## @param serviceAccount.name Name of the created ServiceAccount
## If not set and create is true, a name is generated using the fullname template
##
name: ""
## Specifies whether RBAC resources should be created
##
rbac:
## @param rbac.create Whether to create and use RBAC resources or not
##
create: false
## @param rbac.rules Custom RBAC rules
## Example:
## rules:
## - apiGroups:
## - ""
## resources:
## - pods
## verbs:
## - get
## - list
##
rules: []
## @section Other parameters
## Keycloak Pod Disruption Budget configuration
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
##
pdb:
## @param pdb.create Enable/disable a Pod Disruption Budget creation
##
create: false
## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
##
minAvailable: 1
## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
##
maxUnavailable: ""
## Keycloak Autoscaling configuration
## @param autoscaling.enabled Enable autoscaling for Keycloak
## @param autoscaling.minReplicas Minimum number of Keycloak replicas
## @param autoscaling.maxReplicas Maximum number of Keycloak replicas
## @param autoscaling.targetCPU Target CPU utilization percentage
## @param autoscaling.targetMemory Target Memory utilization percentage
##
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 11
targetCPU: ""
targetMemory: ""
## @section Metrics parameters
## Metrics configuration
##
metrics:
## @param metrics.enabled Enable exposing Keycloak statistics
## ref: https://github.com/bitnami/bitnami-docker-keycloak#enabling-statistics
##
enabled: true
## Keycloak metrics service parameters
##
service:
## @param metrics.service.port Service HTTP management port
##
port: 9990
## @param metrics.service.annotations [object] Annotations for enabling prometheus to access the metrics endpoints
##
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "{{ .Values.metrics.service.port }}"
## Prometheus Operator ServiceMonitor configuration
##
serviceMonitor:
## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
##
enabled: true
## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in
##
namespace: "monitoring"
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
##
interval: 30s
## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
## e.g:
## scrapeTimeout: 30s
##
scrapeTimeout: 10s
## @param metrics.serviceMonitor.relabellings Specify Metric Relabellings to add to the scrape endpoint
##
relabellings: []
## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
##
honorLabels: false
## @param metrics.serviceMonitor.additionalLabels Used to pass Labels that are required by the installed Prometheus Operator
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec
##
additionalLabels: {}
## @section Database parameters
## PostgreSQL chart configuration
## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/values.yaml
##
postgresql:
## @param postgresql.enabled Deploy a PostgreSQL server to satisfy the applications database requirements
##
enabled: false
## @param postgresql.postgresqlUsername Keycloak PostgreSQL user (has superuser privileges if username is `postgres`)
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run
##
postgresqlUsername: keycloak
## @param postgresql.postgresqlPassword Keycloak PostgreSQL password - ignored if existingSecret is provided
## Defaults to a random 10-character alphanumeric string if not set
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#setting-the-root-password-on-first-run
##
postgresqlPassword: "keycloak"
## @param postgresql.postgresqlDatabase Name of the database to create
## ref: https://github.com/bitnami/bitnami-docker-postgresql/blob/master/README.md#creating-a-database-on-first-run
##
postgresqlDatabase: keycloak
## @param postgresql.existingSecret Use an existing secret file with the PostgreSQL password
##
existingSecret: ""
## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes
##
## K8s Security Context
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
## @param postgresql.securityContext.enabled Enable security context for PostgreSQL with Repmgr
## @param postgresql.securityContext.fsGroup Group ID for the PostgreSQL with Repmgr filesystem
##
securityContext:
enabled: true
fsGroup: 1002
## Container Security Context
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
## @param postgresql.containerSecurityContext.enabled Enable container security context
## @param postgresql.containerSecurityContext.runAsUser User ID for the PostgreSQL with Repmgr container
##
containerSecurityContext:
enabled: true
runAsUser: 1002
resources:
## Example:
limits:
cpu: 1.5
memory: 1536Mi
##
#limits: {}
## Examples:
requests:
cpu: 250m
memory: 256Mi
audit:
## @param postgresql.audit.logHostname Add client hostnames to the log file
##
logHostname: true
## @param postgresql.audit.logConnections Add client log-in operations to the log file
##
logConnections: false
## @param postgresql.audit.logDisconnections Add client log-outs operations to the log file
##
logDisconnections: false
## @param postgresql.audit.pgAuditLog Add operations to log using the pgAudit extension
##
pgAuditLog: ""
## @param postgresql.audit.pgAuditLogCatalog Log catalog using pgAudit
##
pgAuditLogCatalog: "off"
## @param postgresql.audit.clientMinMessages Message log level to share with the user
##
clientMinMessages: error
## @param postgresql.audit.logLinePrefix Template string for the log line prefix
##
logLinePrefix: ""
## @param postgresql.audit.logTimezone Timezone for the log timestamps
##
logTimezone: "Europe/Paris"
persistence:
## @param postgresql.persistence.enabled Enable PostgreSQL persistence using PVC
enabled: true
## @param persistence.storageClass Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner.
storageClass: "local-path"
## @param persistence.mountPath The path the volume will be mounted at, useful when using different PostgreSQL images.
mountPath: /opt/postgresql/demo
## @param persistence.size Persistent Volume Claim size
##
size: 40Gi
## External database configuration
##
externalDatabase:
## @param externalDatabase.host Host of the external database
##
host: "postgresql-ha-pgpool.demo.svc.cluster.local"
## @param externalDatabase.port Database port
##
port: 5432
## @param externalDatabase.user non admin username for Keycloak Database
##
user: myuser
## @param externalDatabase.password Database password
##
password: "myupassword"
## @param externalDatabase.database Database name
##
database: mydatabase
## @param externalDatabase.existingSecret Use an existing secret file with the external PostgreSQL credentials
##
existingSecret: ""```Hi @fayssaldarif
Please correct me if I'm wrong but these are the values that you actually did change:
auth:
adminUser: keycloak
resources:
limits:
cpu: 1.5
memory: 1536Mi
requests:
cpu: 250m
memory: 256Mi
service:
type: ClusterIP
ingress:
enabled: true
certManager: true
hostname: keycloak.example.com
annotations:
cert-manager.io/acme-challenge-type: http01
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: nginx
tls: true
metrics:
enabled: true
serviceMonitor:
enabled: true
externalDatabase:
host: "postgresql-ha-pgpool.demo.svc.cluster.local"
user: myuser
password: "myupassword"
database: mydatabase
existingSecret: ""I was able to reproduce the issue... Obtaining a ERR_TOO_MANY_REDIRECTS error in the browser due to constants redirections from https to http, and viceversa:
$ curl -LI https://keycloak.example.com/auth
(...)
HTTP/1.1 308 Permanent Redirect
Date: Mon, 11 Oct 2021 07:52:31 GMT
Content-Type: text/html
Content-Length: 164
Connection: keep-alive
Location: https://keycloak.example.com/auth
HTTP/2 303
date: Mon, 11 Oct 2021 07:52:31 GMT
content-length: 0
location: http://keycloak.example.com/auth/
x-xss-protection: 1; mode=block
strict-transport-security: max-age=15724800; includeSubDomains
x-content-type-options: nosniff
referrer-policy: no-referrer
(...)I could fix it by setting proxyAddressForwarding to true, find more info below:
fdarif
commented
2 years ago Thanks @juan131
juan131
commented
2 years ago I proceed to close the issue, feel free to reopen it if you require further assistance.
Keycloak: The keycloak (and keycloak-5.0.7) of the affected chart
Describe the bug After enabling tls option for keycloak and using certManager to automate the management and issuance of TLS certificates.
The Keycloak Admin Console is not accessible, because the following HTTP request fails. http://keycloak.example.com/auth/js/keycloak.js?version=v4d5f
I think this request should be done with HTTPS instead of HTTP.
Thanks
Expected behavior I think this request should be done with HTTPS instead of HTTP.
Version of Helm and Kubernetes:
helm version:kubectl version:$ kubectl version --short Client Version: v1.21.1 Server Version: v1.21.0