values.yaml

# Optionally override the fully qualified name
fullnameOverride: ""

# Optionally override the name
nameOverride: ""

# The number of replicas to create (has no effect if autoscaling enabled)
replicas: 1

image:
  # The Keycloak image repository
  repository: registry.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/keycloak-ib
  # Overrides the Keycloak image tag whose default is the chart version
  tag: "14.0.0-1.0.6-1"
  # The Keycloak image pull policy
  pullPolicy: IfNotPresent

# Image pull secrets for the Pod
imagePullSecrets: []
# - name: private-registry

# Mapping between IPs and hostnames that will be injected as entries in the Pod's hosts files
hostAliases: []
# - ip: "1.2.3.4"
#   hostnames:
#     - "my.host.com"

# Indicates whether information about services should be injected into Pod's environment variables, matching the syntax of Docker links
enableServiceLinks: true

# Pod management policy. One of `Parallel` or `OrderedReady`
podManagementPolicy: Parallel

# Pod restart policy. One of `Always`, `OnFailure`, or `Never`
restartPolicy: Always

serviceAccount:
  # Specifies whether a ServiceAccount should be created
  create: true
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""
  # Additional annotations for the ServiceAccount
  annotations: {}
  # Additional labels for the ServiceAccount
  labels: {}
  # Image pull secrets that are attached to the ServiceAccount
  imagePullSecrets: []

rbac:
  create: false
  rules: []
  # RBAC rules for KUBE_PING
  #  - apiGroups:
  #      - ""
  #    resources:
  #      - pods
  #    verbs:
  #      - get
  #      - list

# SecurityContext for the entire Pod. Every container running in the Pod will inherit this SecurityContext. This might be relevant when other components of the environment inject additional containers into running Pods (service meshes are the most prominent example for this)
podSecurityContext:
  fsGroup: 1000

# SecurityContext for the Keycloak container
securityContext:
  runAsUser: 1000
  runAsNonRoot: true

# Additional init containers, e. g. for providing custom themes
extraInitContainers: ""

# Additional sidecar containers, e. g. for a database proxy, such as Google's cloudsql-proxy
extraContainers: ""

# Lifecycle hooks for the Keycloak container
lifecycleHooks: ""
#  postStart:
#    exec:
#      command:
#        - /bin/sh
#        - -c
#        - ls

# Termination grace period in seconds for Keycloak shutdown. Clusters with a large cache might need to extend this to give Infinispan more time to rebalance
terminationGracePeriodSeconds: 60

# The internal Kubernetes cluster domain
clusterDomain: cluster.local

## Overrides the default entrypoint of the Keycloak container
command: []

## Overrides the default args for the Keycloak container
args:
  # Big Bang additions 
  - "-b 0.0.0.0"
  - "-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled"
  - "-Dkeycloak.profile.feature.declarative_user_profile=enabled"

# Additional environment variables for Keycloak
extraEnv: ""
  # - name: KEYCLOAK_LOGLEVEL
  #   value: DEBUG
  # - name: WILDFLY_LOGLEVEL
  #   value: DEBUG
  # - name: CACHE_OWNERS_COUNT
  #   value: "2"
  # - name: CACHE_OWNERS_AUTH_SESSIONS_COUNT
  #   value: "2"

# Additional environment variables for Keycloak mapped from Secret or ConfigMap
#### Updated for Big Bang ####
extraEnvFrom: |
  - secretRef:
      name: '{{ include "keycloak.fullname" . }}-env'


#  Pod priority class name
priorityClassName: ""

# Pod affinity
affinity: |
  podAntiAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchLabels:
            {{- include "keycloak.selectorLabels" . | nindent 10 }}
          matchExpressions:
            - key: app.kubernetes.io/component
              operator: NotIn
              values:
                - test
        topologyKey: kubernetes.io/hostname
    preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 100
        podAffinityTerm:
          labelSelector:
            matchLabels:
              {{- include "keycloak.selectorLabels" . | nindent 12 }}
            matchExpressions:
              - key: app.kubernetes.io/component
                operator: NotIn
                values:
                  - test
          topologyKey: failure-domain.beta.kubernetes.io/zone

# Node labels for Pod assignment
nodeSelector: {}

# Node taints to tolerate
tolerations: []

# Additional Pod labels
podLabels: {}

# Additional Pod annotations
podAnnotations: {}

# Liveness probe configuration
#### Updated for Big Bang ####
livenessProbe: |
  httpGet:
    path: /auth/realms/master
    port: http
    scheme: HTTP
  failureThreshold: 15
  timeoutSeconds: 2
  periodSeconds: 15

# Readiness probe configuration
#### Updated for Big Bang ####
readinessProbe: |
  httpGet:
    path: /auth/realms/master
    port: http
    scheme: HTTP
  failureThreshold: 15
  timeoutSeconds: 2

# Startup probe configuration
#### Updated for Big Bang ####
startupProbe: |
  httpGet:
    path: /auth/realms/master
    port: http
  initialDelaySeconds: 90
  timeoutSeconds: 2
  failureThreshold: 60
  periodSeconds: 5

# Pod resource requests and limits
resources: 
  requests:
    cpu: "500m"
    memory: "1024Mi"
  limits:
    cpu: "500m"
    memory: "1024Mi"

#### starupScripts removed to discourange use in Big Bang ####

# Add additional volumes, e. g. for custom themes
extraVolumes: ""

#### added by Big Bang ####
# This values key is reserved for integration with BigBang chart
extraVolumesBigBang: {}

# Add additional volumes mounts, e. g. for custom themes
extraVolumeMounts: ""

#### added by Big Bang ####
# This values key is reserved for integration with BigBang chart
extraVolumeMountsBigBang: {}

# Add additional ports, e. g. for admin console or exposing JGroups ports
extraPorts:
  #### Big Bang Addition ####
  - name: jgroup
    containerPort: 7600
    protocol: TCP

# Pod disruption budget
podDisruptionBudget: {}
#  maxUnavailable: 1
#  minAvailable: 1

# Annotations for the StatefulSet
statefulsetAnnotations: {}

# Additional labels for the StatefulSet
statefulsetLabels: {}

# Configuration for secrets that should be created
## The secrets can also be independently created separate from this helm chart.
## for examlpe with a gitops tool like flux with a kustomize overlay.
secrets:
  # mysecret:
  #   type: {}
  #   annotations: {}
  #   labels: {}
  #   stringData: {}
  #   data: {}
  #### Added for Big Bang ####
  # Environmental variables
  env:
    stringData:
      JAVA_TOOL_OPTIONS: "-XX:+UseContainerSupport -XX:MaxRAMPercentage=50.0"

      # Credentials to setup for default admin user.
      KEYCLOAK_USER: "{{ .Values.secrets.credentials.stringData.adminuser }}"
      KEYCLOAK_PASSWORD: "{{ .Values.secrets.credentials.stringData.password }}"

      # See https://github.com/codecentric/helm-charts/tree/master/charts/keycloak#running-keycloak-behind-a-reverse-proxy
      PROXY_ADDRESS_FORWARDING: "true"

      # For HA/Clustering.  See https://github.com/codecentric/helm-charts/tree/master/charts/keycloak#high-availability-and-clustering
      JGROUPS_DISCOVERY_PROTOCOL: dns.DNS_PING
      JGROUPS_DISCOVERY_PROPERTIES: 'dns_query={{ include "keycloak.serviceDnsName" . }}'
      KEYCLOAK_SERVICE_DNS_NAME: '{{ include "keycloak.serviceDnsName" . }}'
      CACHE_OWNERS_COUNT: "2"
      CACHE_OWNERS_AUTH_SESSIONS_COUNT: "2"

      # Enable Prometheus metrics to be produced
      KEYCLOAK_STATISTICS: "{{ if .Values.serviceMonitor.enabled }}all{{ end }}"

      # Example custom registration
      # CUSTOM_REGISTRATION_CONFIG: "/opt/jboss/keycloak/customreg.yaml"

      # Example custom realm
      # KEYCLOAK_IMPORT: "/opt/jboss/keycloak/realm.json"

      # Example custom certificate authorities
      # X509_CA_BUNDLE: "/etc/x509/https/cas.pem"

  # Default admin user credentials
  credentials:
    stringData:
      adminuser: admin
      password: password

  # Example inline TLS certificates
  # tlscert:
  #   stringData:
  #     tls.crt: ""
  # tlskey:
  #   stringData:
  #     tls.key: ""
  # certauthority:
  #   stringData
  #     cas.pem: ""

  # Example inline custom registration configuration
  # See docs/configuration.md for info about how to create this secret in operational deployments
  # Using this chart value to create the secret should only be used for development and pipeline tests
  # See tests/test-values.yml for development example
  # customreg:
  #   stringData:
  #     customreg.yaml: ""

  # Example inline custom realm configuration
  # See docs/configuration.md for info about how to create this secret in operational deployments
  # Using this chart to create the secret should only be used for development and pipeline tests
  # See tests/test-values.yml for development example
  # realm:
  #   stringData:
  #     realm.json: ""

service:
  # Annotations for headless and HTTP Services
  annotations: {}
  # Additional labels for headless and HTTP Services
  labels: {}
  # key: value
  # The Service type
  type: ClusterIP
  # Optional IP for the load balancer. Used for services of type LoadBalancer only
  loadBalancerIP: ""
  # The http Service port
  httpPort: 80
  # The HTTP Service node port if type is NodePort
  httpNodePort: null
  # The HTTPS Service port
  httpsPort: 8443
  # The HTTPS Service node port if type is NodePort
  httpsNodePort: null
  # The WildFly management Service port
  httpManagementPort: 9990
  # The WildFly management Service node port if type is NodePort
  httpManagementNodePort: null
  # Additional Service ports, e. g. for custom admin console
  #### Added for Big Bang ####
  extraPorts:
  - name: jgroup
    port: 7600
    targetPort: jgroup
    protocol: TCP
  # When using Service type LoadBalancer, you can restrict source ranges allowed
  # to connect to the LoadBalancer, e. g. will result in Security Groups
  # (or equivalent) with inbound source ranges allowed to connect
  loadBalancerSourceRanges: []
  # When using Service type LoadBalancer, you can preserve the source IP seen in the container
  # by changing the default (Cluster) to be Local.
  # See https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
  externalTrafficPolicy: "Cluster"
  # Session affinity
  # See https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-userspace
  sessionAffinity: ""
  # Session affinity config
  sessionAffinityConfig: {}

ingress:
  # If `true`, an Ingress is created
  enabled: false
  # The Service port targeted by the Ingress
  servicePort: http
  # Ingress annotations
  annotations: {}
    ## Resolve HTTP 502 error using ingress-nginx:
    ## See https://www.ibm.com/support/pages/502-error-ingress-keycloak-response
    # nginx.ingress.kubernetes.io/proxy-buffer-size: 128k

  # Additional Ingress labels
  labels: {}
   # List of rules for the Ingress
  rules:
    -
      # Ingress host
      host: '{{ .Release.Name }}.keycloak.example.com'
      # Paths for the host
      paths:
        - /
  # TLS configuration
  tls:
    - hosts:
        - keycloak.example.com
      secretName: ""

  # ingress for console only (/auth/admin)
  console:
    # If `true`, an Ingress is created for console path only
    enabled: false
    # Ingress annotations for console ingress only
    # Useful to set nginx.ingress.kubernetes.io/whitelist-source-range particularly
    annotations: {}
    rules:
      -
        # Ingress host
        host: '{{ .Release.Name }}.keycloak.example.com'
        # Paths for the host
        paths:
          - /auth/admin/

## Network policy configuration
networkPolicy:
  # If true, the Network policies are deployed
  enabled: false

  # Additional Network policy labels
  labels: {}

  # Define all other external allowed source
  # See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#networkpolicypeer-v1-networking-k8s-io
  extraFrom: []

route:
  # If `true`, an OpenShift Route is created
  enabled: false
  # Path for the Route
  path: /
  # Route annotations
  annotations: {}
  # Additional Route labels
  labels: {}
  # Host name for the Route
  host: ""
  # TLS configuration
  tls:
    # If `true`, TLS is enabled for the Route
    enabled: true
    # Insecure edge termination policy of the Route. Can be `None`, `Redirect`, or `Allow`
    insecureEdgeTerminationPolicy: Redirect
    # TLS termination of the route. Can be `edge`, `passthrough`, or `reencrypt`
    termination: edge

pgchecker:
  image:
    # Docker image used to check Postgresql readiness at startup
    repository: registry.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/busybox
    # Image tag for the pgchecker image
    tag: 1.32
    # Image pull policy for the pgchecker image
    pullPolicy: IfNotPresent
  # SecurityContext for the pgchecker container
  securityContext:
    allowPrivilegeEscalation: false
    runAsUser: 1000
    runAsGroup: 1000
    runAsNonRoot: true
  # Resource requests and limits for the pgchecker container
  resources:
    requests:
      cpu: "20m"
      memory: "32Mi"
    limits:
      cpu: "20m"
      memory: "32Mi"

postgresql:
  # If `true`, the Postgresql dependency is enabled
  enabled: true
  # PostgreSQL User to create
  postgresqlUsername: keycloak
  # PostgreSQL Password for the new user
  postgresqlPassword: keycloak
  # PostgreSQL Database to create
  postgresqlDatabase: keycloak
  # PostgreSQL network policy configuration
  networkPolicy:
    enabled: false
  # Added by BigBang
  # change bitnami sub-chart upstream image to pull from registry.dso.mil
  # this image is only used for dev and CI pipelines
  image:
    ## could not get IronBank hardened image to work with the bitnami postgres sub-chart
    registry: registry.dso.mil
    repository: platform-one/big-bang/apps/security-tools/keycloak/postgresql
    tag: 11.8.0-debian-10-r61
  
  resources:
    requests:
      cpu: "250m"
      memory: "256Mi"
    limits:
      cpu: "250m"
      memory: "256Mi"

serviceMonitor:
  # If `true`, a ServiceMonitor resource for the prometheus-operator is created
  enabled: false
  # Optionally sets a target namespace in which to deploy the ServiceMonitor resource
  namespace: ""
  # Optionally sets a namespace for the ServiceMonitor
  namespaceSelector: {}
  # Annotations for the ServiceMonitor
  annotations: {}
  # Additional labels for the ServiceMonitor
  labels: {}
  # Interval at which Prometheus scrapes metrics
  interval: 10s
  # Timeout for scraping
  scrapeTimeout: 10s
  # The path at which metrics are served
  path: /metrics
  # The Service port at which metrics are served
  port: http-management

extraServiceMonitor:
  # If `true`, a ServiceMonitor resource for the prometheus-operator is created
  enabled: false
  # Optionally sets a target namespace in which to deploy the ServiceMonitor resource
  namespace: ""
  # Optionally sets a namespace for the ServiceMonitor
  namespaceSelector: {}
  # Annotations for the ServiceMonitor
  annotations: {}
  # Additional labels for the ServiceMonitor
  labels: {}
  # Interval at which Prometheus scrapes metrics
  interval: 10s
  # Timeout for scraping
  scrapeTimeout: 10s
  # The path at which metrics are served
  path: /auth/realms/master/metrics
  # The Service port at which metrics are served
  port: http

prometheusRule:
  # If `true`, a PrometheusRule resource for the prometheus-operator is created
  enabled: false
  # Annotations for the PrometheusRule
  annotations: {}
  # Additional labels for the PrometheusRule
  labels: {}
  # List of rules for Prometheus
  rules: []
  # - alert: keycloak-IngressHigh5xxRate
  #   annotations:
  #     message: The percentage of 5xx errors for keycloak over the last 5 minutes is over 1%.
  #   expr: |
  #     (
  #       sum(
  #         rate(
  #           nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak",status=~"5[0-9]{2}"}[1m]
  #         )
  #       )
  #       /
  #       sum(
  #         rate(
  #           nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak"}[1m]
  #         )
  #       )
  #     ) * 100 > 1
  #   for: 5m
  #   labels:
  #     severity: warning

autoscaling:
  # If `true`, a autoscaling/v2beta2 HorizontalPodAutoscaler resource is created (requires Kubernetes 1.18 or above)
  # Autoscaling seems to be most reliable when using KUBE_PING service discovery (see README for details)
  # This disables the `replicas` field in the StatefulSet
  enabled: false
  # Additional HorizontalPodAutoscaler labels
  labels: {}
  # The minimum and maximum number of replicas for the Keycloak StatefulSet
  minReplicas: 3
  maxReplicas: 10
  # The metrics to use for scaling
  metrics:
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: 80
  # The scaling policy to use. This will scale up quickly but only scale down a single Pod per 5 minutes.
  # This is important because caches are usually only replicated to 2 Pods and if one of those Pods is terminated this will give the cluster time to recover.
  behavior:
    scaleDown:
      stabilizationWindowSeconds: 300
      policies:
        - type: Pods
          value: 1
          periodSeconds: 300

test:
  # If `true`, test resources are created
  enabled: false
  image:
    # The image for the test Pod
    repository: docker.io/unguiculus/docker-python3-phantomjs-selenium
    # The tag for the test Pod image
    tag: v1
    # The image pull policy for the test Pod image
    pullPolicy: IfNotPresent
  # SecurityContext for the entire test Pod
  podSecurityContext:
    fsGroup: 1000
  # SecurityContext for the test container
  securityContext:
    runAsUser: 1000
    runAsNonRoot: true

# Big Bang Additions
## Your FQDN will be ${ .Values.subdomain }.${ .Values.hostname }
hostname: bigbang.dev
istio:
  # Toggle istio integration
  enabled: false
  keycloak:
    # Toggle vs creation
    enabled: false
    annotations: {}
    labels: {}
    gateways:
      - istio-system/main
    hosts:
      - keycloak.{{ .Values.hostname }}
monitoring:
  enabled: false
networkPolicies:
  enabled: false
  ingressLabels:
    app: istio-ingressgateway
    istio: ingressgateway
  smtpPort: 587
  
openshift: false