# Optionally override the fully qualified name fullnameOverride: "" # Optionally override the name nameOverride: "" # The number of replicas to create (has no effect if autoscaling enabled) replicas: 1 image: # The Keycloak image repository repository: registry.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/keycloak-ib # Overrides the Keycloak image tag whose default is the chart version tag: "14.0.0-1.0.6-1" # The Keycloak image pull policy pullPolicy: IfNotPresent # Image pull secrets for the Pod imagePullSecrets: [] # - name: private-registry # Mapping between IPs and hostnames that will be injected as entries in the Pod's hosts files hostAliases: [] # - ip: "1.2.3.4" # hostnames: # - "my.host.com" # Indicates whether information about services should be injected into Pod's environment variables, matching the syntax of Docker links enableServiceLinks: true # Pod management policy. One of `Parallel` or `OrderedReady` podManagementPolicy: Parallel # Pod restart policy. One of `Always`, `OnFailure`, or `Never` restartPolicy: Always serviceAccount: # Specifies whether a ServiceAccount should be created create: true # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" # Additional annotations for the ServiceAccount annotations: {} # Additional labels for the ServiceAccount labels: {} # Image pull secrets that are attached to the ServiceAccount imagePullSecrets: [] rbac: create: false rules: [] # RBAC rules for KUBE_PING # - apiGroups: # - "" # resources: # - pods # verbs: # - get # - list # SecurityContext for the entire Pod. Every container running in the Pod will inherit this SecurityContext. This might be relevant when other components of the environment inject additional containers into running Pods (service meshes are the most prominent example for this) podSecurityContext: fsGroup: 1000 # SecurityContext for the Keycloak container securityContext: runAsUser: 1000 runAsNonRoot: true # Additional init containers, e. g. for providing custom themes extraInitContainers: "" # Additional sidecar containers, e. g. for a database proxy, such as Google's cloudsql-proxy extraContainers: "" # Lifecycle hooks for the Keycloak container lifecycleHooks: "" # postStart: # exec: # command: # - /bin/sh # - -c # - ls # Termination grace period in seconds for Keycloak shutdown. Clusters with a large cache might need to extend this to give Infinispan more time to rebalance terminationGracePeriodSeconds: 60 # The internal Kubernetes cluster domain clusterDomain: cluster.local ## Overrides the default entrypoint of the Keycloak container command: [] ## Overrides the default args for the Keycloak container args: # Big Bang additions - "-b 0.0.0.0" - "-Dkeycloak.profile.feature.admin_fine_grained_authz=enabled" - "-Dkeycloak.profile.feature.declarative_user_profile=enabled" # Additional environment variables for Keycloak extraEnv: "" # - name: KEYCLOAK_LOGLEVEL # value: DEBUG # - name: WILDFLY_LOGLEVEL # value: DEBUG # - name: CACHE_OWNERS_COUNT # value: "2" # - name: CACHE_OWNERS_AUTH_SESSIONS_COUNT # value: "2" # Additional environment variables for Keycloak mapped from Secret or ConfigMap #### Updated for Big Bang #### extraEnvFrom: | - secretRef: name: '{{ include "keycloak.fullname" . }}-env' # Pod priority class name priorityClassName: "" # Pod affinity affinity: | podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: {{- include "keycloak.selectorLabels" . | nindent 10 }} matchExpressions: - key: app.kubernetes.io/component operator: NotIn values: - test topologyKey: kubernetes.io/hostname preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchLabels: {{- include "keycloak.selectorLabels" . | nindent 12 }} matchExpressions: - key: app.kubernetes.io/component operator: NotIn values: - test topologyKey: failure-domain.beta.kubernetes.io/zone # Node labels for Pod assignment nodeSelector: {} # Node taints to tolerate tolerations: [] # Additional Pod labels podLabels: {} # Additional Pod annotations podAnnotations: {} # Liveness probe configuration #### Updated for Big Bang #### livenessProbe: | httpGet: path: /auth/realms/master port: http scheme: HTTP failureThreshold: 15 timeoutSeconds: 2 periodSeconds: 15 # Readiness probe configuration #### Updated for Big Bang #### readinessProbe: | httpGet: path: /auth/realms/master port: http scheme: HTTP failureThreshold: 15 timeoutSeconds: 2 # Startup probe configuration #### Updated for Big Bang #### startupProbe: | httpGet: path: /auth/realms/master port: http initialDelaySeconds: 90 timeoutSeconds: 2 failureThreshold: 60 periodSeconds: 5 # Pod resource requests and limits resources: requests: cpu: "500m" memory: "1024Mi" limits: cpu: "500m" memory: "1024Mi" #### starupScripts removed to discourange use in Big Bang #### # Add additional volumes, e. g. for custom themes extraVolumes: "" #### added by Big Bang #### # This values key is reserved for integration with BigBang chart extraVolumesBigBang: {} # Add additional volumes mounts, e. g. for custom themes extraVolumeMounts: "" #### added by Big Bang #### # This values key is reserved for integration with BigBang chart extraVolumeMountsBigBang: {} # Add additional ports, e. g. for admin console or exposing JGroups ports extraPorts: #### Big Bang Addition #### - name: jgroup containerPort: 7600 protocol: TCP # Pod disruption budget podDisruptionBudget: {} # maxUnavailable: 1 # minAvailable: 1 # Annotations for the StatefulSet statefulsetAnnotations: {} # Additional labels for the StatefulSet statefulsetLabels: {} # Configuration for secrets that should be created ## The secrets can also be independently created separate from this helm chart. ## for examlpe with a gitops tool like flux with a kustomize overlay. secrets: # mysecret: # type: {} # annotations: {} # labels: {} # stringData: {} # data: {} #### Added for Big Bang #### # Environmental variables env: stringData: JAVA_TOOL_OPTIONS: "-XX:+UseContainerSupport -XX:MaxRAMPercentage=50.0" # Credentials to setup for default admin user. KEYCLOAK_USER: "{{ .Values.secrets.credentials.stringData.adminuser }}" KEYCLOAK_PASSWORD: "{{ .Values.secrets.credentials.stringData.password }}" # See https://github.com/codecentric/helm-charts/tree/master/charts/keycloak#running-keycloak-behind-a-reverse-proxy PROXY_ADDRESS_FORWARDING: "true" # For HA/Clustering. See https://github.com/codecentric/helm-charts/tree/master/charts/keycloak#high-availability-and-clustering JGROUPS_DISCOVERY_PROTOCOL: dns.DNS_PING JGROUPS_DISCOVERY_PROPERTIES: 'dns_query={{ include "keycloak.serviceDnsName" . }}' KEYCLOAK_SERVICE_DNS_NAME: '{{ include "keycloak.serviceDnsName" . }}' CACHE_OWNERS_COUNT: "2" CACHE_OWNERS_AUTH_SESSIONS_COUNT: "2" # Enable Prometheus metrics to be produced KEYCLOAK_STATISTICS: "{{ if .Values.serviceMonitor.enabled }}all{{ end }}" # Example custom registration # CUSTOM_REGISTRATION_CONFIG: "/opt/jboss/keycloak/customreg.yaml" # Example custom realm # KEYCLOAK_IMPORT: "/opt/jboss/keycloak/realm.json" # Example custom certificate authorities # X509_CA_BUNDLE: "/etc/x509/https/cas.pem" # Default admin user credentials credentials: stringData: adminuser: admin password: password # Example inline TLS certificates # tlscert: # stringData: # tls.crt: "" # tlskey: # stringData: # tls.key: "" # certauthority: # stringData # cas.pem: "" # Example inline custom registration configuration # See docs/configuration.md for info about how to create this secret in operational deployments # Using this chart value to create the secret should only be used for development and pipeline tests # See tests/test-values.yml for development example # customreg: # stringData: # customreg.yaml: "" # Example inline custom realm configuration # See docs/configuration.md for info about how to create this secret in operational deployments # Using this chart to create the secret should only be used for development and pipeline tests # See tests/test-values.yml for development example # realm: # stringData: # realm.json: "" service: # Annotations for headless and HTTP Services annotations: {} # Additional labels for headless and HTTP Services labels: {} # key: value # The Service type type: ClusterIP # Optional IP for the load balancer. Used for services of type LoadBalancer only loadBalancerIP: "" # The http Service port httpPort: 80 # The HTTP Service node port if type is NodePort httpNodePort: null # The HTTPS Service port httpsPort: 8443 # The HTTPS Service node port if type is NodePort httpsNodePort: null # The WildFly management Service port httpManagementPort: 9990 # The WildFly management Service node port if type is NodePort httpManagementNodePort: null # Additional Service ports, e. g. for custom admin console #### Added for Big Bang #### extraPorts: - name: jgroup port: 7600 targetPort: jgroup protocol: TCP # When using Service type LoadBalancer, you can restrict source ranges allowed # to connect to the LoadBalancer, e. g. will result in Security Groups # (or equivalent) with inbound source ranges allowed to connect loadBalancerSourceRanges: [] # When using Service type LoadBalancer, you can preserve the source IP seen in the container # by changing the default (Cluster) to be Local. # See https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip externalTrafficPolicy: "Cluster" # Session affinity # See https://kubernetes.io/docs/concepts/services-networking/service/#proxy-mode-userspace sessionAffinity: "" # Session affinity config sessionAffinityConfig: {} ingress: # If `true`, an Ingress is created enabled: false # The Service port targeted by the Ingress servicePort: http # Ingress annotations annotations: {} ## Resolve HTTP 502 error using ingress-nginx: ## See https://www.ibm.com/support/pages/502-error-ingress-keycloak-response # nginx.ingress.kubernetes.io/proxy-buffer-size: 128k # Additional Ingress labels labels: {} # List of rules for the Ingress rules: - # Ingress host host: '{{ .Release.Name }}.keycloak.example.com' # Paths for the host paths: - / # TLS configuration tls: - hosts: - keycloak.example.com secretName: "" # ingress for console only (/auth/admin) console: # If `true`, an Ingress is created for console path only enabled: false # Ingress annotations for console ingress only # Useful to set nginx.ingress.kubernetes.io/whitelist-source-range particularly annotations: {} rules: - # Ingress host host: '{{ .Release.Name }}.keycloak.example.com' # Paths for the host paths: - /auth/admin/ ## Network policy configuration networkPolicy: # If true, the Network policies are deployed enabled: false # Additional Network policy labels labels: {} # Define all other external allowed source # See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#networkpolicypeer-v1-networking-k8s-io extraFrom: [] route: # If `true`, an OpenShift Route is created enabled: false # Path for the Route path: / # Route annotations annotations: {} # Additional Route labels labels: {} # Host name for the Route host: "" # TLS configuration tls: # If `true`, TLS is enabled for the Route enabled: true # Insecure edge termination policy of the Route. Can be `None`, `Redirect`, or `Allow` insecureEdgeTerminationPolicy: Redirect # TLS termination of the route. Can be `edge`, `passthrough`, or `reencrypt` termination: edge pgchecker: image: # Docker image used to check Postgresql readiness at startup repository: registry.dso.mil/platform-one/big-bang/apps/security-tools/keycloak/busybox # Image tag for the pgchecker image tag: 1.32 # Image pull policy for the pgchecker image pullPolicy: IfNotPresent # SecurityContext for the pgchecker container securityContext: allowPrivilegeEscalation: false runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true # Resource requests and limits for the pgchecker container resources: requests: cpu: "20m" memory: "32Mi" limits: cpu: "20m" memory: "32Mi" postgresql: # If `true`, the Postgresql dependency is enabled enabled: true # PostgreSQL User to create postgresqlUsername: keycloak # PostgreSQL Password for the new user postgresqlPassword: keycloak # PostgreSQL Database to create postgresqlDatabase: keycloak # PostgreSQL network policy configuration networkPolicy: enabled: false # Added by BigBang # change bitnami sub-chart upstream image to pull from registry.dso.mil # this image is only used for dev and CI pipelines image: ## could not get IronBank hardened image to work with the bitnami postgres sub-chart registry: registry.dso.mil repository: platform-one/big-bang/apps/security-tools/keycloak/postgresql tag: 11.8.0-debian-10-r61 resources: requests: cpu: "250m" memory: "256Mi" limits: cpu: "250m" memory: "256Mi" serviceMonitor: # If `true`, a ServiceMonitor resource for the prometheus-operator is created enabled: false # Optionally sets a target namespace in which to deploy the ServiceMonitor resource namespace: "" # Optionally sets a namespace for the ServiceMonitor namespaceSelector: {} # Annotations for the ServiceMonitor annotations: {} # Additional labels for the ServiceMonitor labels: {} # Interval at which Prometheus scrapes metrics interval: 10s # Timeout for scraping scrapeTimeout: 10s # The path at which metrics are served path: /metrics # The Service port at which metrics are served port: http-management extraServiceMonitor: # If `true`, a ServiceMonitor resource for the prometheus-operator is created enabled: false # Optionally sets a target namespace in which to deploy the ServiceMonitor resource namespace: "" # Optionally sets a namespace for the ServiceMonitor namespaceSelector: {} # Annotations for the ServiceMonitor annotations: {} # Additional labels for the ServiceMonitor labels: {} # Interval at which Prometheus scrapes metrics interval: 10s # Timeout for scraping scrapeTimeout: 10s # The path at which metrics are served path: /auth/realms/master/metrics # The Service port at which metrics are served port: http prometheusRule: # If `true`, a PrometheusRule resource for the prometheus-operator is created enabled: false # Annotations for the PrometheusRule annotations: {} # Additional labels for the PrometheusRule labels: {} # List of rules for Prometheus rules: [] # - alert: keycloak-IngressHigh5xxRate # annotations: # message: The percentage of 5xx errors for keycloak over the last 5 minutes is over 1%. # expr: | # ( # sum( # rate( # nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak",status=~"5[0-9]{2}"}[1m] # ) # ) # / # sum( # rate( # nginx_ingress_controller_response_duration_seconds_count{exported_namespace="mynamespace",ingress="mynamespace-keycloak"}[1m] # ) # ) # ) * 100 > 1 # for: 5m # labels: # severity: warning autoscaling: # If `true`, a autoscaling/v2beta2 HorizontalPodAutoscaler resource is created (requires Kubernetes 1.18 or above) # Autoscaling seems to be most reliable when using KUBE_PING service discovery (see README for details) # This disables the `replicas` field in the StatefulSet enabled: false # Additional HorizontalPodAutoscaler labels labels: {} # The minimum and maximum number of replicas for the Keycloak StatefulSet minReplicas: 3 maxReplicas: 10 # The metrics to use for scaling metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 80 # The scaling policy to use. This will scale up quickly but only scale down a single Pod per 5 minutes. # This is important because caches are usually only replicated to 2 Pods and if one of those Pods is terminated this will give the cluster time to recover. behavior: scaleDown: stabilizationWindowSeconds: 300 policies: - type: Pods value: 1 periodSeconds: 300 test: # If `true`, test resources are created enabled: false image: # The image for the test Pod repository: docker.io/unguiculus/docker-python3-phantomjs-selenium # The tag for the test Pod image tag: v1 # The image pull policy for the test Pod image pullPolicy: IfNotPresent # SecurityContext for the entire test Pod podSecurityContext: fsGroup: 1000 # SecurityContext for the test container securityContext: runAsUser: 1000 runAsNonRoot: true # Big Bang Additions ## Your FQDN will be ${ .Values.subdomain }.${ .Values.hostname } hostname: bigbang.dev istio: # Toggle istio integration enabled: false keycloak: # Toggle vs creation enabled: false annotations: {} labels: {} gateways: - istio-system/main hosts: - keycloak.{{ .Values.hostname }} monitoring: enabled: false networkPolicies: enabled: false ingressLabels: app: istio-ingressgateway istio: ingressgateway smtpPort: 587 openshift: false