--- # Source: keycloak/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: keycloak namespace: oceanbox labels: app.kubernetes.io/name: keycloak helm.sh/chart: keycloak-9.3.2 app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: keycloak automountServiceAccountToken: true --- # Source: keycloak/charts/postgresql/templates/secrets.yaml apiVersion: v1 kind: Secret metadata: name: keycloak-postgresql namespace: "oceanbox" labels: app.kubernetes.io/name: postgresql helm.sh/chart: postgresql-11.6.9 app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm type: Opaque data: postgres-password: "bVJsYUE2c0sxSg==" password: "azlIUEJZOUVSOA==" # We don't auto-generate LDAP password when it's not provided as we do for other passwords --- # Source: keycloak/templates/secrets.yaml apiVersion: v1 kind: Secret metadata: name: keycloak namespace: oceanbox labels: app.kubernetes.io/name: keycloak helm.sh/chart: keycloak-9.3.2 app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: keycloak type: Opaque data: admin-password: "ZW4gdG8gdHJlIGZpcmU=" management-password: "V1c1U0dvNEloSw==" --- # Source: keycloak/templates/configmap-env-vars.yaml apiVersion: v1 kind: ConfigMap metadata: name: keycloak-env-vars namespace: oceanbox labels: app.kubernetes.io/name: keycloak helm.sh/chart: keycloak-9.3.2 app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: keycloak data: KEYCLOAK_ADMIN_USER: "admin" KEYCLOAK_MANAGEMENT_USER: "manager" KEYCLOAK_HTTP_PORT: "8080" KEYCLOAK_PROXY: passthrough KEYCLOAK_ENABLE_STATISTICS: "false" KEYCLOAK_DATABASE_HOST: "keycloak-postgresql" KEYCLOAK_DATABASE_PORT: "5432" KEYCLOAK_DATABASE_NAME: "bitnami_keycloak" KEYCLOAK_DATABASE_USER: "bn_keycloak" KEYCLOAK_ENABLE_TLS: "false" KEYCLOAK_CACHE_TYPE: "local" KEYCLOAK_LOG_OUTPUT: "default" --- # Source: keycloak/charts/postgresql/templates/primary/svc-headless.yaml apiVersion: v1 kind: Service metadata: name: keycloak-postgresql-hl namespace: "oceanbox" labels: app.kubernetes.io/name: postgresql helm.sh/chart: postgresql-11.6.9 app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: primary # Use this annotation in addition to the actual publishNotReadyAddresses # field below because the annotation will stop being respected soon but the # field is broken in some versions of Kubernetes: # https://github.com/kubernetes/kubernetes/issues/58662 service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" spec: type: ClusterIP clusterIP: None # We want all pods in the StatefulSet to have their addresses published for # the sake of the other Postgresql pods even before they're ready, since they # have to be able to talk to each other in order to become ready. publishNotReadyAddresses: true ports: - name: tcp-postgresql port: 5432 targetPort: tcp-postgresql selector: app.kubernetes.io/name: postgresql app.kubernetes.io/instance: keycloak app.kubernetes.io/component: primary --- # Source: keycloak/charts/postgresql/templates/primary/svc.yaml apiVersion: v1 kind: Service metadata: name: keycloak-postgresql namespace: "oceanbox" labels: app.kubernetes.io/name: postgresql helm.sh/chart: postgresql-11.6.9 app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: primary annotations: spec: type: ClusterIP sessionAffinity: None ports: - name: tcp-postgresql port: 5432 targetPort: tcp-postgresql nodePort: null selector: app.kubernetes.io/name: postgresql app.kubernetes.io/instance: keycloak app.kubernetes.io/component: primary --- # Source: keycloak/templates/headless-service.yaml apiVersion: v1 kind: Service metadata: name: keycloak-headless namespace: oceanbox labels: app.kubernetes.io/name: keycloak helm.sh/chart: keycloak-9.3.2 app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: keycloak spec: type: ClusterIP clusterIP: None ports: - name: http port: 80 protocol: TCP targetPort: http publishNotReadyAddresses: true selector: app.kubernetes.io/name: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/component: keycloak --- # Source: keycloak/templates/service.yaml apiVersion: v1 kind: Service metadata: name: keycloak namespace: oceanbox labels: app.kubernetes.io/name: keycloak helm.sh/chart: keycloak-9.3.2 app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: keycloak spec: type: LoadBalancer externalTrafficPolicy: "Cluster" sessionAffinity: None ports: - name: http port: 80 protocol: TCP targetPort: http - name: https port: 443 protocol: TCP targetPort: https selector: app.kubernetes.io/name: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/component: keycloak --- # Source: keycloak/charts/postgresql/templates/primary/statefulset.yaml apiVersion: apps/v1 kind: StatefulSet metadata: name: keycloak-postgresql namespace: "oceanbox" labels: app.kubernetes.io/name: postgresql helm.sh/chart: postgresql-11.6.9 app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: primary annotations: spec: replicas: 1 serviceName: keycloak-postgresql-hl updateStrategy: rollingUpdate: {} type: RollingUpdate selector: matchLabels: app.kubernetes.io/name: postgresql app.kubernetes.io/instance: keycloak app.kubernetes.io/component: primary template: metadata: name: keycloak-postgresql labels: app.kubernetes.io/name: postgresql helm.sh/chart: postgresql-11.6.9 app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: primary annotations: spec: serviceAccountName: default affinity: podAffinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchLabels: app.kubernetes.io/name: postgresql app.kubernetes.io/instance: keycloak app.kubernetes.io/component: primary namespaces: - "oceanbox" topologyKey: kubernetes.io/hostname weight: 1 nodeAffinity: securityContext: fsGroup: 1001 hostNetwork: false hostIPC: false initContainers: containers: - name: postgresql image: docker.io/bitnami/postgresql:14.4.0-debian-11-r2 imagePullPolicy: "IfNotPresent" securityContext: runAsUser: 1001 env: - name: BITNAMI_DEBUG value: "false" - name: POSTGRESQL_PORT_NUMBER value: "5432" - name: POSTGRESQL_VOLUME_DIR value: "/bitnami/postgresql" - name: PGDATA value: "/bitnami/postgresql/data" # Authentication - name: POSTGRES_USER value: "bn_keycloak" - name: POSTGRES_POSTGRES_PASSWORD valueFrom: secretKeyRef: name: keycloak-postgresql key: postgres-password - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: keycloak-postgresql key: password - name: POSTGRES_DB value: "bitnami_keycloak" # Replication # Initdb # Standby # LDAP - name: POSTGRESQL_ENABLE_LDAP value: "no" # TLS - name: POSTGRESQL_ENABLE_TLS value: "no" # Audit - name: POSTGRESQL_LOG_HOSTNAME value: "false" - name: POSTGRESQL_LOG_CONNECTIONS value: "false" - name: POSTGRESQL_LOG_DISCONNECTIONS value: "false" - name: POSTGRESQL_PGAUDIT_LOG_CATALOG value: "off" # Others - name: POSTGRESQL_CLIENT_MIN_MESSAGES value: "error" - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES value: "pgaudit" ports: - name: tcp-postgresql containerPort: 5432 livenessProbe: failureThreshold: 6 initialDelaySeconds: 30 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 exec: command: - /bin/sh - -c - exec pg_isready -U "bn_keycloak" -d "dbname=bitnami_keycloak" -h 127.0.0.1 -p 5432 readinessProbe: failureThreshold: 6 initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 exec: command: - /bin/sh - -c - -e - | exec pg_isready -U "bn_keycloak" -d "dbname=bitnami_keycloak" -h 127.0.0.1 -p 5432 [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] resources: limits: {} requests: cpu: 250m memory: 256Mi volumeMounts: - name: dshm mountPath: /dev/shm - name: data mountPath: /bitnami/postgresql volumes: - name: dshm emptyDir: medium: Memory volumeClaimTemplates: - metadata: name: data spec: accessModes: - "ReadWriteOnce" resources: requests: storage: "8Gi" --- # Source: keycloak/templates/statefulset.yaml apiVersion: apps/v1 kind: StatefulSet metadata: name: keycloak namespace: oceanbox labels: app.kubernetes.io/name: keycloak helm.sh/chart: keycloak-9.3.2 app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: keycloak spec: replicas: 1 podManagementPolicy: Parallel serviceName: keycloak-headless updateStrategy: rollingUpdate: {} type: RollingUpdate selector: matchLabels: app.kubernetes.io/name: keycloak app.kubernetes.io/instance: keycloak app.kubernetes.io/component: keycloak template: metadata: annotations: checksum/configmap-env-vars: 503dfcf8a222e248d4ef79d1c510f17380e89ada3ea41db074f3d5ade7e247c5 checksum/secrets: 15ae48deda4484b39021a91faceb68544d16f599867b6f7e64b2f818698b62de labels: app.kubernetes.io/name: keycloak helm.sh/chart: keycloak-9.3.2 app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: keycloak spec: serviceAccountName: keycloak affinity: podAffinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - podAffinityTerm: labelSelector: matchLabels: app.kubernetes.io/name: keycloak app.kubernetes.io/instance: keycloak namespaces: - "oceanbox" topologyKey: kubernetes.io/hostname weight: 1 nodeAffinity: securityContext: fsGroup: 1001 initContainers: - name: keycloak-theme-provider image: docker.io/my-theme:1.0 imagePullPolicy: IfNotPresent command: - sh args: - -c - | echo "Copying theme..." cp -R /my-theme/* /theme volumeMounts: - name: theme mountPath: /theme containers: - name: keycloak image: docker.io/bitnami/keycloak:18.0.2-debian-11-r0 imagePullPolicy: IfNotPresent securityContext: runAsNonRoot: true runAsUser: 1001 env: - name: KUBERNETES_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: BITNAMI_DEBUG value: "false" - name: KEYCLOAK_ADMIN_PASSWORD valueFrom: secretKeyRef: name: keycloak key: admin-password - name: KEYCLOAK_MANAGEMENT_PASSWORD valueFrom: secretKeyRef: name: keycloak key: management-password - name: KEYCLOAK_DATABASE_PASSWORD valueFrom: secretKeyRef: name: keycloak-postgresql key: password envFrom: - configMapRef: name: keycloak-env-vars resources: limits: {} requests: {} ports: - name: http containerPort: 8080 protocol: TCP - name: https containerPort: 8443 protocol: TCP - name: http-management containerPort: 9990 protocol: TCP livenessProbe: failureThreshold: 3 initialDelaySeconds: 300 periodSeconds: 1 successThreshold: 1 timeoutSeconds: 5 httpGet: path: / port: http readinessProbe: failureThreshold: 3 initialDelaySeconds: 30 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 httpGet: path: /realms/master port: http volumeMounts: - mountPath: /opt/bitnami/keycloak/themes/oceanbox name: theme volumes: - emptyDir: {} name: theme --- # Source: keycloak/templates/ingress.yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: keycloak namespace: oceanbox labels: app.kubernetes.io/name: keycloak helm.sh/chart: keycloak-9.3.2 app.kubernetes.io/instance: keycloak app.kubernetes.io/managed-by: Helm app.kubernetes.io/component: keycloak annotations: cert-manager.io/cluster-issuer: letsencrypt-production nginx.ingress.kubernetes.io/enable-cors: "true" nginx.ingress.kubernetes.io/proxy-buffer-size: 128k nginx.ingress.kubernetes.io/ssl-redirect: "true" spec: ingressClassName: "nginx" rules: - host: "keycloak.dev.oceanbox.io" http: paths: - path: / pathType: ImplementationSpecific backend: service: name: keycloak port: name: http tls: - hosts: - "keycloak.dev.oceanbox.io" secretName: keycloak.dev.oceanbox.io-tls