replicaCount: 2

# NOTE(mrtz): Hack for working with bitnami legacy registry
global:
  security:
    allowInsecureImages: true
image:
    repository: bitnamilegacy/keycloak

production: true

proxy: edge

auth:
  adminPassword: en to tre fire
  adminUser: admin
  existingSecret: ""
  managementPassword: ""
  managementUser: manager

postgresql:
  enabled: false

resources:
  limits:
    cpu: 750m
    ephemeral-storage: 2Gi
    memory: 1500Mi
  requests:
    cpu: 500m
    ephemeral-storage: 50Mi
    memory: 512Mi

externalDatabase:
  host: prod-keycloak-db-rw
  port: 5432
  database: app
  existingSecret: prod-keycloak-db-app
  existingSecretUserKey: username
  existingSecretPasswordKey: password

extraVolumeMounts:
- mountPath: /opt/bitnami/keycloak/themes/oceanbox
  name: theme

extraVolumes:
- emptyDir: {}
  name: theme

ingress:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/backend-protocol: HTTP
    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
  enabled: true
  hostname: auth.oceanbox.io
  ingressClassName: nginx
  path: /
  pathType: ImplementationSpecific
  selfSigned: false
  servicePort: http
  tls: true

adminIngress:
  enabled: false
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/backend-protocol: HTTP
    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    oceanbox.io/expose: internal
  hostname: keycloak.adm.oceanbox.io
  ingressClassName: nginx
  path: /
  pathType: ImplementationSpecific
  selfSigned: false
  servicePort: http
  tls: true

keycloakConfigCli:
  enabled: false
  configuration:
    master.json: |
      {
        "realm" : "master",
        "attributes": {
          "frontendUrl": "https://auth.oceanbox.io"
        }
      }

initContainers: |
  - name: keycloak-theme-provider
    image: docker.io/juselius/oceanbox-theme:1.2
    imagePullPolicy: Always
    command:
      - sh
    args:
      - -c
      - |
        echo "Copying theme..."
        cp -R /theme/* /keycloak/themes/oceanbox
    volumeMounts:
      - name: theme
        mountPath: /keycloak/themes/oceanbox

automountServiceAccountToken: true

serviceAccount:
  create: true
  automountServiceAccountToken: true

extraDeploy:
- apiVersion: postgresql.cnpg.io/v1
  kind: Cluster
  metadata:
    name: prod-keycloak-db
    namespace: keycloak
  spec:
    instances: 2
    imageName: ghcr.io/cloudnative-pg/postgresql:17.2-27-bookworm
    storage:
      resizeInUseVolumes: true
      size: 10Gi
- apiVersion: barmancloud.cnpg.io/v1
  kind: ObjectStore
  metadata:
    name: tos-store
    namespace: keycloak
  spec:
    retentionPolicy: "7d"
    configuration:
      destinationPath: s3://cnpg/prod-keycloak-db
      endpointURL: http://10.255.241.30:30080
      s3Credentials:
        accessKeyId:
          name: cnpg-s3
          key: access_key
        secretAccessKey:
          name: cnpg-s3
          key: access_secret
      wal:
        compression: snappy
- apiVersion: postgresql.cnpg.io/v1
  kind: ScheduledBackup
  metadata:
    name: prod-keycloak-db
    namespace: keycloak
  spec:
    schedule: "0 0 1 * * *"
    backupOwnerReference: self
    cluster:
      name: prod-keycloak-db
    method: plugin
    pluginConfiguration:
      name: barman-cloud.cloudnative-pg.io
- apiVersion: monitoring.coreos.com/v1
  kind: PodMonitor
  metadata:
   name: prod-keycloak-db-monitor
  spec:
    selector:
      matchLabels:
        cnpg.io/cluster: prod-keycloak-db
    podMetricsEndpoints:
    - port: metrics