Closed gfragi closed 1 year ago
Hi @gfragi,
It seems that the file (/bitnami/keycloak/conf/keycloak.conf
) does not exist
ls -la /bitnami/keycloak/conf/keycloak.conf
ls: cannot access '/bitnami/keycloak/conf/keycloak.conf': No such file or directory
Hi @gfragi,
It seems that the file (
/bitnami/keycloak/conf/keycloak.conf
) does not existls -la /bitnami/keycloak/conf/keycloak.conf ls: cannot access '/bitnami/keycloak/conf/keycloak.conf': No such file or directory
What I should do as soon as I deploy it from the chart without major changes in values yaml file?
Hi @gfragi,
Did you try to use the parameter configuration?
## @param configuration Keycloak Configuration. Auto-generated based on other parameters when not specified
## Specify content for keycloak.conf
## NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart)
## The keycloak.conf is auto-generated based on other parameters when this parameter is not specified
##
## Example:
## configuration: |-
## foo: bar
## baz:
##
configuration: ""
No i don't use this parameter! Should I ? And what I should configure there?
Hi @gfragi,
With that parameter, you can add the configuration you want. What exactly do you gonna do?
I am glad that you answering me. I need to just deploy the default configuration of keycloak by using the bitnami helm chart. I really dont understand the issue here! Can you explain me, as long as I dont use configuration values in my values yaml, why this issue comes up?
I am glad that you answering me. I need to just deploy the default configuration of keycloak by using the bitnami helm chart. I really dont understand the issue here! Can you explain me, as long as I dont use configuration values in my values yaml, why this issue comes up?
Hi @gfragi,
In this case, in better if you create a configMap and use the value existingConfigmap, with the configuration you want.
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.
Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.
Hello, even when using the existingConfigmap parameter, the issue is the same, the pod log output is :
cp: cannot overwrite non-directory '/opt/bitnami/keycloak/conf/keycloak.conf' with directory '/bitnami/keycloak/conf/keycloak.conf'
I've also tested the extraVolumes and extraVolumeMounts to load the config in the /opt/keycloak/data/import, but no realm is imported.
What is the way to bootstrap a config using the helm chart ?
The chart version used is targetRevision: 12.2.0
Name and Version
bitnami/keycloak-13.3.0
What architecture are you using?
None
What steps will reproduce the bug?
@param global.imageRegistry Global Docker image registry
@param global.imagePullSecrets Global Docker registry secret names as an array
@param global.storageClass Global StorageClass for Persistent Volume(s)
global: imageRegistry: ""
E.g.
imagePullSecrets:
- myRegistryKeySecretName
imagePullSecrets: [] storageClass: ""
@section Common parameters
@param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
kubeVersion: ""
@param nameOverride String to partially override common.names.fullname
nameOverride: ""
@param fullnameOverride String to fully override common.names.fullname
fullnameOverride: ""
@param namespaceOverride String to fully override common.names.namespace
namespaceOverride: sso
@param commonLabels Labels to add to all deployed objects
commonLabels: {}
@param enableServiceLinks If set to false, disable Kubernetes service links in the pod spec
Ref: https://kubernetes.io/docs/tutorials/services/connect-applications-service/#accessing-the-service
enableServiceLinks: true
@param commonAnnotations Annotations to add to all deployed objects
commonAnnotations: {}
@param clusterDomain Default Kubernetes cluster domain
clusterDomain: cluster.local
@param extraDeploy Array of extra objects to deploy with the release
extraDeploy: []
Enable diagnostic mode in the statefulset
diagnosticMode:
@param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
enabled: false
@param diagnosticMode.command Command to override all containers in the the statefulset
command:
@param diagnosticMode.args Args to override all containers in the the statefulset
args:
@section Keycloak parameters
Bitnami Keycloak image version
ref: https://hub.docker.com/r/bitnami/keycloak/tags/
@param image.registry Keycloak image registry
@param image.repository Keycloak image repository
@param image.tag Keycloak image tag (immutable tags are recommended)
@param image.digest Keycloak image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
@param image.pullPolicy Keycloak image pull policy
@param image.pullSecrets Specify docker-registry secret names as an array
@param image.debug Specify if debug logs should be enabled
image: registry: docker.io repository: bitnami/keycloak tag: 20.0.5-debian-11-r4 digest: ""
Specify a imagePullPolicy
Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
pullPolicy: IfNotPresent
Optionally specify an array of imagePullSecrets.
Secrets must be manually created in the namespace.
ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
Example:
pullSecrets:
- myRegistryKeySecretName
pullSecrets: []
Set to true if you would like to see extra information on logs
debug: false
Keycloak authentication parameters
ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#admin-credentials
auth:
@param auth.adminUser Keycloak administrator user
adminUser: kadmin
@param auth.adminPassword Keycloak administrator password for the new user
adminPassword:
@param auth.existingSecret Existing secret containing Keycloak admin password
existingSecret: ""
@param auth.passwordSecretKey Key where the Keycloak admin password is being stored inside the existing secret.
passwordSecretKey: ""
HTTPS settings
ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#tls-encryption
tls:
@param tls.enabled Enable TLS encryption. Required for HTTPs traffic.
enabled: true
@param tls.autoGenerated Generate automatically self-signed TLS certificates. Currently only supports PEM certificates
autoGenerated: true
@param tls.existingSecret Existing secret containing the TLS certificates per Keycloak replica
Create this secret following the steps below:
1) Generate your truststore and keystore files (more info at https://www.keycloak.org/docs/latest/server_installation/#_setting_up_ssl)
2) Rename your truststore to
keycloak.truststore.jks
or use a different name overwriting the value 'tls.truststoreFilename'.3) Rename your keystores to
keycloak.keystore.jks
or use a different name overwriting the value 'tls.keystoreFilename'.4) Run the command below where SECRET_NAME is the name of the secret you want to create:
kubectl create secret generic SECRET_NAME --from-file=./keycloak.truststore.jks --from-file=./keycloak.keystore.jks
NOTE: If usePem enabled, make sure the PEM key and cert are named 'tls.key' and 'tls.crt' respectively.
existingSecret: ""
@param tls.usePem Use PEM certificates as input instead of PKS12/JKS stores
If "true", the Keycloak chart will look for the files keycloak.key and keycloak.crt inside the secret provided with 'existingSecret'.
usePem: false
@param tls.truststoreFilename Truststore filename inside the existing secret
truststoreFilename: "keycloak.truststore.jks"
@param tls.keystoreFilename Keystore filename inside the existing secret
keystoreFilename: "keycloak.keystore.jks"
@param tls.keystorePassword Password to access the keystore when it's password-protected
keystorePassword: ""
@param tls.truststorePassword Password to access the truststore when it's password-protected
truststorePassword: ""
@param tls.passwordsSecret Secret containing the Keystore and Truststore passwords.
passwordsSecret: ""
SPI TLS settings
ref: https://www.keycloak.org/server/keycloak-truststore
spi:
@param spi.existingSecret Existing secret containing the Keycloak truststore for SPI connection over HTTPS/TLS
Create this secret following the steps below:
1) Rename your truststore to
keycloak-spi.truststore.jks
or use a different name overwriting the value 'spi.truststoreFilename'.2) Run the command below where SECRET_NAME is the name of the secret you want to create:
kubectl create secret generic SECRET_NAME --from-file=./keycloak-spi.truststore.jks --from-file=./keycloak.keystore.jks
existingSecret: ""
@param spi.truststorePassword Password to access the truststore when it's password-protected
truststorePassword: ""
@param spi.truststoreFilename Truststore filename inside the existing secret
truststoreFilename: "keycloak-spi.truststore.jks"
@param spi.passwordsSecret Secret containing the SPI Truststore passwords.
passwordsSecret: ""
@param spi.hostnameVerificationPolicy Verify the hostname of the server’s certificate. Allowed values: "ANY", "WILDCARD", "STRICT".
hostnameVerificationPolicy: ""
@param production Run Keycloak in production mode. TLS configuration is required except when using proxy=edge.
production: true
@param proxy reverse Proxy mode edge, reencrypt, passthrough or none
ref: https://www.keycloak.org/server/reverseproxy
proxy: passthrough
@param httpRelativePath Set the path relative to '/' for serving resources. Useful if you are migrating from older version which were using '/auth/'
ref: https://www.keycloak.org/migration/migrating-to-quarkus#_default_context_path_changed
httpRelativePath: "/"
Keycloak Service Discovery settings
ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#cluster-configuration
@param configuration Keycloak Configuration. Auto-generated based on other parameters when not specified
Specify content for keycloak.conf
NOTE: This will override configuring Keycloak based on environment variables (including those set by the chart)
The keycloak.conf is auto-generated based on other parameters when this parameter is not specified
configuration: |- jgroups { transport=TCP tcp_nodelay=true bind_addr={{ .Values.service.discovery.bindAddr }} bind_port={{ .Values.service.discovery.bindPort }} enable_diagnostics=true diagnostics_ttl=5 diagnostics_history=20 diagnostics_max_plaintext_size=8192 diagnostics_max_size=2000000 diagnostics_log_raw=false tcp_ping_timeout=500 tcp_sock_conn_timeout=3000 tcp_sock_recv_buf_size=2000000 tcp_sock_send_buf_size=2000000 initial_hosts={{ .Values.service.discovery.initialHosts }} max_broadcasts_before_discovery={{ .Values.service.discovery.maxBroadcastsBeforeDiscovery }} discovery_initial_wait_timeout={{ .Values.service.discovery.initialWaitTimeout }} discovery_refresh_timeout={{ .Values.service.discovery.refreshTimeout }} }
configuration: ""
@param existingConfigmap Name of existing ConfigMap with Keycloak configuration
NOTE: When it's set the configuration parameter is ignored
existingConfigmap: keycloak-metrics-jar
@param extraStartupArgs Extra default startup args
extraStartupArgs: ""
@param initdbScripts Dictionary of initdb scripts
Specify dictionary of scripts to be run at first boot
ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#initializing-a-new-instance
Example:
initdbScripts:
my_init_script.sh: |
!/bin/bash
echo "Do something."
initdbScripts: {}
@param initdbScriptsConfigMap ConfigMap with the initdb scripts (Note: Overrides
initdbScripts
)initdbScriptsConfigMap: ""
@param command Override default container command (useful when using custom images)
command: []
@param args Override default container args (useful when using custom images)
args: []
@param extraEnvVars Extra environment variables to be set on Keycloak container
Example:
extraEnvVars:
- name: FOO
value: "bar"
extraEnvVars: []
@param extraEnvVarsCM Name of existing ConfigMap containing extra env vars
extraEnvVarsCM: ""
@param extraEnvVarsSecret Name of existing Secret containing extra env vars
extraEnvVarsSecret: ""
@section Keycloak statefulset parameters
@param replicaCount Number of Keycloak replicas to deploy
replicaCount: 1
@param containerPorts.http Keycloak HTTP container port
@param containerPorts.https Keycloak HTTPS container port
@param containerPorts.infinispan Keycloak infinispan container port
containerPorts: http: 8080 https: 8443 infinispan: 7800
@param extraContainerPorts Optionally specify extra list of additional port-mappings for Keycloak container
extraContainerPorts: []
Keycloak pods' SecurityContext
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
@param podSecurityContext.enabled Enabled Keycloak pods' Security Context
@param podSecurityContext.fsGroup Set Keycloak pod's Security Context fsGroup
podSecurityContext: enabled: true fsGroup: 1001
Keycloak containers' Security Context
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
@param containerSecurityContext.enabled Enabled Keycloak containers' Security Context
@param containerSecurityContext.runAsUser Set Keycloak container's Security Context runAsUser
@param containerSecurityContext.runAsNonRoot Set Keycloak container's Security Context runAsNonRoot
containerSecurityContext: enabled: true runAsUser: 1001 runAsNonRoot: true
Keycloak resource requests and limits
ref: https://kubernetes.io/docs/user-guide/compute-resources/
@param resources.limits The resources limits for the Keycloak containers
@param resources.requests The requested resources for the Keycloak containers
resources: limits: {} requests: {}
Configure extra options for Keycloak containers' liveness, readiness and startup probes
ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
@param livenessProbe.enabled Enable livenessProbe on Keycloak containers
@param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
@param livenessProbe.periodSeconds Period seconds for livenessProbe
@param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
@param livenessProbe.failureThreshold Failure threshold for livenessProbe
@param livenessProbe.successThreshold Success threshold for livenessProbe
livenessProbe:
enabled: true
initialDelaySeconds: 300
periodSeconds: 1
timeoutSeconds: 5
failureThreshold: 3
successThreshold: 1
@param readinessProbe.enabled Enable readinessProbe on Keycloak containers
@param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
@param readinessProbe.periodSeconds Period seconds for readinessProbe
@param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
@param readinessProbe.failureThreshold Failure threshold for readinessProbe
@param readinessProbe.successThreshold Success threshold for readinessProbe
readinessProbe:
enabled: true
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
successThreshold: 1
When enabling this, make sure to set initialDelaySeconds to 0 for livenessProbe and readinessProbe
@param startupProbe.enabled Enable startupProbe on Keycloak containers
@param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
@param startupProbe.periodSeconds Period seconds for startupProbe
@param startupProbe.timeoutSeconds Timeout seconds for startupProbe
@param startupProbe.failureThreshold Failure threshold for startupProbe
@param startupProbe.successThreshold Success threshold for startupProbe
startupProbe: enabled: false initialDelaySeconds: 30 periodSeconds: 5 timeoutSeconds: 1 failureThreshold: 60 successThreshold: 1
@param customLivenessProbe Custom Liveness probes for Keycloak
customLivenessProbe: {}
@param customReadinessProbe Custom Rediness probes Keycloak
customReadinessProbe: {}
@param customStartupProbe Custom Startup probes for Keycloak
customStartupProbe: {}
@param lifecycleHooks LifecycleHooks to set additional configuration at startup
lifecycleHooks: {}
@param hostAliases Deployment pod host aliases
https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
hostAliases: []
@param podLabels Extra labels for Keycloak pods
ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
@param podAnnotations Annotations for Keycloak pods
ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
@param podAffinityPreset Pod affinity preset. Ignored if
affinity
is set. Allowed values:soft
orhard
ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
podAffinityPreset: ""
@param podAntiAffinityPreset Pod anti-affinity preset. Ignored if
affinity
is set. Allowed values:soft
orhard
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
podAntiAffinityPreset: soft
Node affinity preset
Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
nodeAffinityPreset:
@param nodeAffinityPreset.type Node affinity preset type. Ignored if
affinity
is set. Allowed values:soft
orhard
type: ""
@param nodeAffinityPreset.key Node label key to match. Ignored if
affinity
is set.E.g.
key: "kubernetes.io/e2e-az-name"
key: ""
@param nodeAffinityPreset.values Node label values to match. Ignored if
affinity
is set.E.g.
values:
- e2e-az1
- e2e-az2
values: []
@param affinity Affinity for pod assignment
Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
@param nodeSelector Node labels for pod assignment
ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
@param tolerations Tolerations for pod assignment
ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
@param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
topologySpreadConstraints: []
@param podManagementPolicy Pod management policy for the Keycloak statefulset
podManagementPolicy: Parallel
@param priorityClassName Keycloak pods' Priority Class Name
ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
@param schedulerName Use an alternate scheduler, e.g. "stork".
ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
schedulerName: ""
@param terminationGracePeriodSeconds Seconds Keycloak pod needs to terminate gracefully
ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
terminationGracePeriodSeconds: ""
@param updateStrategy.type Keycloak statefulset strategy type
@param updateStrategy.rollingUpdate Keycloak statefulset rolling update configuration parameters
ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
updateStrategy: type: RollingUpdate rollingUpdate: {}
@param extraVolumes Optionally specify extra list of additional volumes for Keycloak pods
extraVolumes: []
@param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Keycloak container(s)
extraVolumeMounts: []
@param initContainers Add additional init containers to the Keycloak pods
Example:
initContainers:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
initContainers: []
@param sidecars Add additional sidecar containers to the Keycloak pods
Example:
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
sidecars: []
@section Exposure parameters
Service configuration
service:
@param service.type Kubernetes service type
type: LoadBalancer
@param service.http.enabled Enable http port on service
http: enabled: true
@param service.ports.http Keycloak service HTTP port
@param service.ports.https Keycloak service HTTPS port
ports: http: 80 https: 443
@param service.nodePorts [object] Specify the nodePort values for the LoadBalancer and NodePort service types.
ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
nodePorts: http: "" https: ""
@param service.sessionAffinity Control where client requests go, to the same pod or round-robin
Values: ClientIP or None
ref: https://kubernetes.io/docs/user-guide/services/
sessionAffinity: None
@param service.sessionAffinityConfig Additional settings for the sessionAffinity
sessionAffinityConfig:
clientIP:
timeoutSeconds: 300
sessionAffinityConfig: {}
@param service.clusterIP Keycloak service clusterIP IP
e.g:
clusterIP: None
clusterIP: ""
@param service.loadBalancerIP loadBalancerIP for the SuiteCRM Service (optional, cloud specific)
ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer
loadBalancerIP: ""
@param service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer
https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
Example:
loadBalancerSourceRanges:
- 10.10.10.0/24
loadBalancerSourceRanges: []
@param service.externalTrafficPolicy Enable client source IP preservation
ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
externalTrafficPolicy: Cluster
@param service.annotations Additional custom annotations for Keycloak service
annotations: {}
@param service.extraPorts Extra port to expose on Keycloak service
extraPorts: []
DEPRECATED service.extraHeadlessPorts will be removed in a future release, please use service.headless.extraPorts instead
@param service.extraHeadlessPorts Extra ports to expose on Keycloak headless service
extraHeadlessPorts: []
Headless service properties
headless:
@param service.headless.annotations Annotations for the headless service.
Keycloak ingress parameters
ref: https://kubernetes.io/docs/user-guide/ingress/
ingress:
@param ingress.enabled Enable ingress record generation for Keycloak
enabled: false
@param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
ingressClassName: ""
@param ingress.pathType Ingress path type
pathType: ImplementationSpecific
@param ingress.apiVersion Force Ingress API version (automatically detected if not set)
apiVersion: ""
@param ingress.hostname Default host for the ingress record (evaluated as template)
hostname: keycloak.local
@param ingress.path Default path for the ingress record
path: /
@param ingress.servicePort Backend service port to use
Default is http. Alternative is https.
servicePort: http
@param ingress.annotations [object] Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
Use this parameter to set the required annotations for cert-manager, see
ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
e.g:
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: cluster-issuer-name
annotations: {}
@param ingress.tls Enable TLS configuration for the host defined at
ingress.hostname
parameterTLS certificates will be retrieved from a TLS secret with name:
{{- printf "%s-tls" (tpl .Values.ingress.hostname .) }}
You can:
- Use the
ingress.secrets
parameter to create this TLS secret- Rely on cert-manager to create it by setting the corresponding annotations
- Rely on Helm to create self-signed certificates by setting
ingress.selfSigned=true
tls: false
@param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
selfSigned: false
@param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
e.g:
extraHosts:
- name: keycloak.local
path: /
extraHosts: []
@param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host.
For example: The ALB ingress controller requires a special rule for handling SSL redirection.
extraPaths:
- path: /*
backend:
serviceName: ssl-redirect
servicePort: use-annotation
extraPaths: []
@param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
extraTls:
- hosts:
- keycloak.local
secretName: keycloak.local-tls
extraTls: []
@param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
key and certificate should start with -----BEGIN CERTIFICATE----- or
-----BEGIN RSA PRIVATE KEY-----
name should line up with a tlsSecret set further up
If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
It is also possible to create and manage the certificates outside of this helm chart
Please see README.md for more information
e.g:
- name: keycloak.local-tls
key:
certificate:
secrets: []
@param ingress.extraRules Additional rules to be covered with this ingress record
ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
e.g:
extraRules:
- host: airflow.local
http:
path: /
backend:
service:
name: airflow-svc
port:
name: http
extraRules: []
Network Policy configuration
ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
networkPolicy:
@param networkPolicy.enabled Enable the default NetworkPolicy policy
enabled: false
@param networkPolicy.allowExternal Don't require client label for connections
The Policy model to apply. When set to false, only pods with the correct
client label will have network access to the ports Keycloak is listening
on. When true, Keycloak will accept connections from any source
(with the correct destination port).
allowExternal: true
@param networkPolicy.additionalRules Additional NetworkPolicy rules
Note that all rules are OR-ed.
Example:
additionalRules:
- matchLabels:
- role: frontend
- matchExpressions:
- key: role
operator: In
values:
- frontend
additionalRules: {}
@section RBAC parameter
Specifies whether a ServiceAccount should be created
serviceAccount:
@param serviceAccount.create Enable the creation of a ServiceAccount for Keycloak pods
create: true
@param serviceAccount.name Name of the created ServiceAccount
If not set and create is true, a name is generated using the fullname template
name: ""
@param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod
automountServiceAccountToken: true
@param serviceAccount.annotations Additional custom annotations for the ServiceAccount
annotations: {}
@param serviceAccount.extraLabels Additional labels for the ServiceAccount
extraLabels: {}
Specifies whether RBAC resources should be created
rbac:
@param rbac.create Whether to create and use RBAC resources or not
create: false
@param rbac.rules Custom RBAC rules
Example:
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
rules: []
@section Other parameters
Keycloak Pod Disruption Budget configuration
ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
pdb:
@param pdb.create Enable/disable a Pod Disruption Budget creation
create: false
@param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
minAvailable: 1
@param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
maxUnavailable: ""
Keycloak Autoscaling configuration
@param autoscaling.enabled Enable autoscaling for Keycloak
@param autoscaling.minReplicas Minimum number of Keycloak replicas
@param autoscaling.maxReplicas Maximum number of Keycloak replicas
@param autoscaling.targetCPU Target CPU utilization percentage
@param autoscaling.targetMemory Target Memory utilization percentage
autoscaling: enabled: false minReplicas: 1 maxReplicas: 11 targetCPU: "" targetMemory: ""
@section Metrics parameters
Metrics configuration
metrics:
@param metrics.enabled Enable exposing Keycloak statistics
ref: https://github.com/bitnami/containers/tree/main/bitnami/keycloak#enabling-statistics
enabled: true
Keycloak metrics service parameters
service:
@param metrics.service.ports.http Metrics service HTTP port
Prometheus Operator ServiceMonitor configuration
serviceMonitor:
@param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
Prometheus Operator alert rules configuration
prometheusRule:
@param metrics.prometheusRule.enabled Create PrometheusRule Resource for scraping metrics using PrometheusOperator
@section keycloak-config-cli parameters
Configuration for keycloak-config-cli
ref: https://github.com/adorsys/keycloak-config-cli
keycloakConfigCli:
@param keycloakConfigCli.enabled Whether to enable keycloak-config-cli job
enabled: false
Bitnami keycloak-config-cli image
ref: https://hub.docker.com/r/bitnami/keycloak-config-cli/tags/
@param keycloakConfigCli.image.registry keycloak-config-cli container image registry
@param keycloakConfigCli.image.repository keycloak-config-cli container image repository
@param keycloakConfigCli.image.tag keycloak-config-cli container image tag
@param keycloakConfigCli.image.digest keycloak-config-cli container image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
@param keycloakConfigCli.image.pullPolicy keycloak-config-cli container image pull policy
@param keycloakConfigCli.image.pullSecrets keycloak-config-cli container image pull secrets
image: registry: docker.io repository: bitnami/keycloak-config-cli tag: 5.5.0-debian-11-r36 digest: ""
Specify a imagePullPolicy
@param keycloakConfigCli.annotations [object] Annotations for keycloak-config-cli job
ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
annotations: helm.sh/hook: "post-install,post-upgrade,post-rollback" helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" helm.sh/hook-weight: "5"
@param keycloakConfigCli.command Command for running the container (set to default if not set). Use array form
command: []
@param keycloakConfigCli.args Args for running the container (set to default if not set). Use array form
args: []
@param keycloakConfigCli.hostAliases Job pod host aliases
https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
hostAliases: []
Keycloak config CLI resource requests and limits
ref: https://kubernetes.io/docs/user-guide/compute-resources/
@param keycloakConfigCli.resources.limits The resources limits for the keycloak-config-cli container
@param keycloakConfigCli.resources.requests The requested resources for the keycloak-config-cli container
resources: limits: {} requests: {}
keycloak-config-cli containers' Security Context
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
@param keycloakConfigCli.containerSecurityContext.enabled Enabled keycloak-config-cli containers' Security Context
@param keycloakConfigCli.containerSecurityContext.runAsUser Set keycloak-config-cli container's Security Context runAsUser
@param keycloakConfigCli.containerSecurityContext.runAsNonRoot Set keycloak-config-cli container's Security Context runAsNonRoot
containerSecurityContext: enabled: true runAsUser: 1001 runAsNonRoot: true
keycloak-config-cli pods' Security Context
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
@param keycloakConfigCli.podSecurityContext.enabled Enabled keycloak-config-cli pods' Security Context
@param keycloakConfigCli.podSecurityContext.fsGroup Set keycloak-config-cli pod's Security Context fsGroup
podSecurityContext: enabled: true fsGroup: 1001
@param keycloakConfigCli.backoffLimit Number of retries before considering a Job as failed
ref: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy
backoffLimit: 1
@param keycloakConfigCli.podLabels Pod extra labels
ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
@param keycloakConfigCli.podAnnotations Annotations for job pod
ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
@param keycloakConfigCli.extraEnvVars Additional environment variables to set
Example:
extraEnvVars:
- name: FOO
value: "bar"
@param keycloakConfigCli.podTolerations Tolerations for job pod assignment
ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
podTolerations: [] extraEnvVars: []
@param keycloakConfigCli.extraEnvVarsCM ConfigMap with extra environment variables
extraEnvVarsCM: ""
@param keycloakConfigCli.extraEnvVarsSecret Secret with extra environment variables
extraEnvVarsSecret: ""
@param keycloakConfigCli.extraVolumes Extra volumes to add to the job
extraVolumes: []
@param keycloakConfigCli.extraVolumeMounts Extra volume mounts to add to the container
extraVolumeMounts: []
@param keycloakConfigCli.initContainers Add additional init containers to the Keycloak config cli pod
Example:
initContainers:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
initContainers: []
@param keycloakConfigCli.sidecars Add additional sidecar containers to the Keycloak config cli pod
Example:
sidecars:
- name: your-image-name
image: your-image
imagePullPolicy: Always
ports:
- name: portname
containerPort: 1234
sidecars: []
@param keycloakConfigCli.configuration keycloak-config-cli realms configuration
NOTE: nil keys will be considered files to import locally
Example:
configuration:
realm1.json: |
{
"realm": "realm1",
"clients": []
}
files/realm2.yaml:
realm3.yaml: |
realm: realm3
clients: []
configuration: {}
@param keycloakConfigCli.existingConfigmap ConfigMap with keycloak-config-cli configuration. This will override
keycloakConfigCli.config
NOTE: This will override keycloakConfigCli.configuration
existingConfigmap: ""
@section Database parameters
PostgreSQL chart configuration
ref: https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml
@param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart
@param postgresql.auth.postgresPassword Password for the "postgres" admin user. Ignored if
auth.existingSecret
with keypostgres-password
is provided@param postgresql.auth.username Name for a custom user to create
@param postgresql.auth.password Password for the custom user to create
@param postgresql.auth.database Name for a custom database to create
@param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials
@param postgresql.architecture PostgreSQL architecture (
standalone
orreplication
)postgresql: enabled: false auth: postgresPassword: "" username: bn_keycloak password: "" database: bitnami_keycloak existingSecret: "" architecture: standalone
External PostgreSQL configuration
All of these values are only used when postgresql.enabled is set to false
@param externalDatabase.host Database host
@param externalDatabase.port Database port number
@param externalDatabase.user Non-root username for Keycloak
@param externalDatabase.password Password for the non-root username for Keycloak
@param externalDatabase.database Keycloak database name
@param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials
@param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials
externalDatabase: host: '10.100.59.xxx' port: '5432' user: xxxxx database: xxxx password: xxxxx existingSecret: keycloak-db-user
existingSecretPasswordKey: ""
extraEnvVars:
- name: KC_DB # override values from the conf file
value: 'postgres'
- name: KC_DB_URL
value: 'jdbc:postgresql://10.100.59.225:5432/keycloak;databaseName=keycloak;'
@section Keycloak Cache parameters
Keycloak cache configuration
ref: https://www.keycloak.org/server/caching
@param cache.enabled Switch to enable or disable the keycloak distributed cache for kubernetes.
NOTE: Set to false to use 'local' cache (only supported when replicaCount=1).
@param cache.stackName Set infinispan cache stack to use
@param cache.stackFile Set infinispan cache stack filename to use
cache: enabled: true stackName: kubernetes stackFile: ""
@section Keycloak Logging parameters
Keycloak logging configuration
ref: https://www.keycloak.org/server/logging
@param logging.output Alternates between the default log output format or json format
@param logging.level Allowed values as documented: FATAL, ERROR, WARN, INFO, DEBUG, TRACE, ALL, OFF
logging: output: default level: INFO